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Abstract 


This thesis investigates how the formal modeling and verification techniques of computer 
science can be used for the analysis of hybrid systems [7, 14, 22,37] — systems involving both 
discrete and continuous behavior. The motivation behind such research lies in the inherent 
similarity of the hierarchical and decentralized control strategies of hybrid systems and the 
communication and operation protocols used for distributed systems in computer science. 
As a case study, the thesis focuses on the development of techniques that use hybrid I/O 
automata [29,30] to model and analyze automated vehicle transportation systems and, in 
particular, their various protection subsystems — control systems that are used to ensure 
that the physical plant at hand does not violate its various safety requirements. 


The thesis is split into two major parts. In the first part, we develop an abstract model of a 
physical plant and its various protection subsystems — also referred to as protectors. The 
specialization of this abstract model results in the specification of a particular automated 
transportation system. Moreover, the proof of correctness of the abstract model leads to 
simple correctness proofs of the protector implementations for particular specializations 
of the abstract model. In this framework, the composition of independent protectors is 
straightforward — their composition guarantees the conjunction of the safety properties 
guaranteed by the individual protectors. In fact, it is shown that under certain conditions 
composition holds for dependent protectors also. 


In the second part, we specialize the aforementioned abstract model to simplified versions 
of the personal rapid transit system (PRT 2000™) under development at Raytheon Cor- 
poration. We examine overspeed and collision protection for a set of vehicles traveling on 
straight tracks, on binary merges, and on a directed graph of tracks involving binary merges 
and diverges. In each case, the protectors sample the state of the physical plant and take 
protective actions to guarantee that the physical plant does not reach hazardous states. The 
proofs of correctness of such protectors involve specializing the abstract protector to the 
physical plant at hand and proving that the suggested protector implementations are cor- 
rect. This is done by defining simulations among the states of the protector implementations 
and their abstract counterparts. 
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Nomenclature 


Acronyms 
ATO Automatic Train Operation 
ATP Automatic Train Protection 
AVO Automated Vehicle Operation 
AVOS Automated Vehicle Operation System 
AVP Automated Vehicle Protection 
AVPS Automated Vehicle Protection System 
HIOA Hybrid I/O Automaton, or Hybrid I/O Automata 
PRT Personal Rapid Transit 


Hybrid I/O Automata Notation 


(2, t) A superdense time in an execution fragment a = woa,wyagwW2---. 
(2, t, Ss) An occurrence of a state s in an execution fragment a = wod,wyagtw2---. 
a A hybrid execution of a HIOA. 

a.fstate The first state of a hybrid execution a@ = woa,wydgw2--- 

a.lstate The last state of a finite hybrid execution @ = woayWy---Gy,Wn. 
a.ltime The limit time of a hybrid execution a = woa,wyagw2---. 

> The set of all actions of a HIOA. 

pint The set of internal actions of a HIOA. 

yn The set of input actions of a HIOA. 

ylec The set of locally controlled actions of a HIOA. 

yout The set of output actions of a HIOA. 

6) The set of initial states of a HIOA. 

A A hybrid I/O automaton. 


The set of external variables of a HIOA. 
The set of local variables of a HIOA. 
The set of input variables of a HIOA. 
The set of all variables of a HIOA. 

The set of internal variables of a HIOA. 


The set of output variables of a HIOA. 


NY < oe = Gh 


The set of discrete transitions of a HIOA. 
WwW The set of trajectories of a HIOA. 
h-traces(A) The set of hybrid traces of the HIOA A. 
h-trace(a) The hybrid trace of the hybrid execution a. 


states(A) The set of all states of the HIOA A. 


Latin Abbreviations 


cf. confer; Latin for “compare”. 

€.g. exempli gratia; Latin for “for example”. 
et al. et alti; Latin for “and others”. 

etc. et cetera; Latin for “and so forth”. 

1.€. id est; Latin for “that is”. 


ib. or ibid. ibidem; Latin for “in the same work/place”. 


nb. nota bene; Latin for “take special note of”. 

op. cit. opere citato; Latin for “in the work/text cited”. 
U.g. verbi gratia; Latin for “for example”. 

v.41. vide infra; Latin for “see below”. 

U.S. vide supra; Latin for “see above”. 

viz. videlicet; Latin for “that is to say” or “namely”. 
vs, versus; Latin for “against”. 


Mathematical Notation 


Z The set of valuations of the set of variables Z. 
VY The universal set of variables. 
|X | The cardinality of the set X. 


xX The complement of the set X. 


flLx The projection of the function f to the set X. 

fly The projection of the function f to the element y. 

f[X The restriction of the function f to the set X. 

fig h Functions. 

T The time axis, 7.e., a compact subgroup of (R,+). 

T; An interval in the time axis, 7.e., a non-empty convex subset of 7. 


w.fstate The first state of a trajectory w, i.e., w(0). 


w.lstate The last state of a closed trajectory w, @.e., w(w.ltime). 

w.ltime The limit time of a trajectory w, i.e., sup(dom(w)). 

X-Y The complement of the set Y in the set X, i.e, XNY. 

X:€ Sy Assignment of an arbitrary element of the set of valuations Sy, where Sy C 
X, to the set of variables X. 

e:e X Assignment of an arbitrary element of the set of values X, where XY C 
type(2), to the variable a. 

XY The intersection of the sets X and Y. 

XUY The union of the sets X and Y. 

X\Y The complement of the set Y in the set X, i.e, XY. 

P(X) The power set of the set X. 

dom( f) The domain of the function f. 

range f) The range of the function f. 

trajs(Z) The collection of all trajectories over the set of variables Z. 

type(v) The domain over which the variable v ranges. 

) The empty (or null) set. 

Nt The set of positive natural numbers, t.e., the set {1,2,3,...}. 

N The set of natural numbers, i.e., the set {0,1,2,3,...}. 

R,R2°,R* The set of all, non-negative, and positive real numbers. 

Z,Z2°,Z+ The set of all, non-negative, and positive integers. 

Physical Plant and Protector Notation 
Amar The maximum distance a vehicle can travel if braked after d,,q7 time units. 


Xi 


Cmax 
Chrake 
Cmax 


Ci(t) 


The maximum allowable velocity of any vehicle. 

The braking deceleration of a vehicle that has not collided. 

The maximum acceleration of a vehicle that has not collided. 

The minimum acceleration of a vehicle that has not collided. 

The section of track claimed by the vehicle 2 in time t. 

The minimum allowable separation between vehicles. 

The maximum protector sampling period. 

The section of track occupied by the vehicle 2, 7.e., the extent of the vehicle 7. 


The section of track owned by the vehicle 7. 


Xi 


Chapter 1 


Introduction 


This thesis investigates how the formal modeling and verification techniques of computer 
science can be used for the analysis of hybrid systems [7, 14,22,37] — systems involving both 
discrete and continuous behavior. The motivation behind such research lies in the inherent 
similarity of the hierarchical and decentralized control strategies of hybrid systems and the 
communication and operation protocols used for distributed systems in computer science. 
As a case study, the thesis focuses on the development of techniques that use hybrid I/O 
automata [29,30] to model and analyze automated vehicle transportation systems and, in 
particular, their various protection subsystems — control systems that are used to ensure 


that the physical plant at hand does not violate its various safety requirements. 


The thesis is split into two major parts. In the first part, we develop an abstract model of a 
physical plant and its various protection subsystems — also referred to as protectors. The 
specialization of this abstract model results in the specification of a particular automated 
transportation system. Moreover, the proof of correctness of the abstract model leads to 
simple correctness proofs of the protector implementations for particular specializations 
of the abstract model. In this framework, the composition of independent protectors is 
straightforward — their composition guarantees the conjunction of the safety properties 
guaranteed by the individual protectors. In fact, it is shown that under certain conditions 


composition holds for dependent protectors also. 


In the second part, we specialize the aforementioned abstract model to simplified versions 
of the personal rapid transit system (PRT 2000™) under development at Raytheon Cor- 
poration. We examine overspeed and collision protection for a set of vehicles traveling on 
straight tracks, on binary merges, and on a directed graph of tracks involving binary merges 
and diverges. In each case, the protectors sample the state of the physical plant and take 
protective actions to guarantee that the physical plant does not reach hazardous states. The 
proofs of correctness of such protectors involve specializing the abstract protector to the 


physical plant at hand and proving that the suggested protector implementations are cor- 


rect. This is done by defining simulations among the states of the protector implementations 


and their abstract counterparts. 


1.1 Hybrid Systems 


The trend of system integration and automation has resulted in large and complex systems 
involving hierarchical and/or decentralized control structures. The higher levels of control 
are based on discrete algorithms and are often modeled using finite automata techniques 
from computer science. The lower levels of control address continuous behavior and are 
based on well established control theoretic techniques. The inherent complexity of the mix 
of continuous and discrete control and the need of a precise and efficient model for hybrid 


systems has encouraged research in this field. 


The similarity of the hierarchical and/or decentralized control structure of hybrid systems 
with the distributed system setting in computer science has nurtured a distributed systems 
approach of analyzing hybrid systems. This approach is based on various formal modeling 
techniques developed for the verification and the proof of correctness of distributed sys- 
tems in computer science. Such techniques use the principles of abstraction and modular 
decomposition to provide simple and concise models of complex systems. Once a particular 
system is decomposed into succinct parts, various composition theorems are used to prove 


that the system is functioning according to its specifications, 7.e., the system is correct. 


1.1.1 Formal Framework 


The formal modeling techniques that are used in this thesis are based on the hybrid I/O 
automaton model [29,30]. This model is an extension of the timed I/O automaton model [11, 
34] and allows the explicit treatment of continuous behavior. The hybrid I/O automaton 


model is inspired by the phase transition models [2,4,35, 36]. 


The hybrid I/O automaton model is a (possibly) infinite state model of a system involving 
both discrete and continuous behavior. The states of a hybrid I/O automaton (HIOA) are 
the valuations of a set of variables. The discrete behavior of a HIOA is modeled by discrete 
jumps in state which are described by labeled transitions. The labels of such transitions 
are the actions that carry out the transition from the initial to the final state of the jump. 
The continuous behavior of a HIOA is modeled by continuous changes in state which are 
described by sets of trajectories. The external interface of a HIOA is dictated by the 
partition of its variables and its actions into three categories: input, internal, and output. 
The behavior of the system being modeled over time is described by hybrid executions — 


finite or infinite alternating sequences of trajectories and actions. The externally visible part 


of a hybrid execution is denoted as the hybrid trace of the hybrid execution and involves 


the evolution of the input and output variables of the HIOA. 


A HIOA A, implements another HIOA Ap» if every external behavior of A, is allowed by 
Ag. In this setting A, and Ag are referred to as the implementation and the specification, 
respectively. The notion of an implementation relation is given by inclusion of the sets 
of hybrid traces; that is, the set of hybrid traces of A; is a subset of the set of hybrid 
traces of Ag. The composition of two HIOA is defined as their synchronization on shared 
input/output variables and input/output actions. Under straightforward and simple con- 
ditions, the composition of two HIOA results in a HIOA. Moreover, composition respects 
the implementation relation, ¢.e., supposing B is a HIOA, if the HIOA A; implements the 
HIOA Ag, then the composition of A; with B implements the composition of Ag with B. 


Most of the proofs in the HIOA framework use invariant assertions and simulations. In the 
case of invariant assertions, the proofs are by induction on the length of a hybrid execution 
of the HIOA at hand. Such proofs show that a particular predicate on the state of the 
HIOA is satisfied in every state of the execution. A simulation is a mapping between the 
states of the two HIOA and is used to prove that one HIOA implements another. The 
fact that the mapping is indeed a simulation is again done by induction on the length of a 
hybrid execution of the implementation. This induction matches up individual steps in the 


implementation with either single steps, or sequences of steps, in the specification. 


1.1.2 Related Work 


The recent interest in the area of hybrid systems has resulted in a number of techniques to 
model and analyze their behavior. In particular, models that are analogous to the timed I/O 
automaton model [11,34] are the models of Alur and Dill [6], Lamport [20], and Henzinger, 
Manna, and Pnueli [18]. As is the case with the timed I/O automaton model, these models 
have also been extended to the hybrid setting; for instance, the timed transition model [18] 
has been extended to the phase transition model [35,36]. Phase transition systems are 
analogous to hybrid I/O automata — the transitions and the activities of phase transition 
systems correspond to the discrete transitions and the trajectories of hybrid I/O automata. 
The hybrid system model [2,4] is similar to the phase transition model with the distinction 
that, as in the hybrid I/O automaton model, discrete transitions are labeled, thus allowing 
the appropriate synchronization of composed automata. The distinction between the hybrid 
system model [2,4] and the hybrid I/O automaton model lies in the latter’s classification 


of the discrete transitions and variables into input, internal, and output. 


In the realm of applications, the formal modeling techniques presented above have been used 
for the analysis of various problems. The railroad crossing problem [15] and the steam boiler 


problem [1,21] comprise two commonly used benchmark problems. The former benchmark 


problem considers the control of a railroad gate that prevents cars and pedestrians from 
crossing the railroad tracks while the train is in the vicinity of the crossing. This gate must 
be lowered prior to the arrival of the train and lifted once the train has passed by. The 


latter benchmark problem involves the control of the level of water in a steam boiler. 


The success in the modeling, analysis, and controller design for the above benchmark prob- 
lems has encouraged the formal modeling of more complex hybrid systems; for example, au- 
tomated transportation systems [41,42], industrial and chemical processes [9,40], rail-vehicle 
control [39], and complex automotive suspension systems [38]. The motivation behind such 
research lies mostly in the safety-critical nature of the systems at hand. In the case of 
automated transportation systems, the safety of the passengers has greatly encouraged the 


use of formal techniques. 


The recent interest in addressing safety concerns related to automated highway systems 
and, in particular, the California PATH project [41], has resulted in a surge of hybrid sys- 
tem problems. The goal of PATH is to increase vehicle throughput by organizing traffic 
into platoons of closely spaced vehicles. Godbole, Lygeros, and Sastry [12, 13,23, 25,27] at 
U.C. Berkeley have studied various problems that arise in the control of the vehicle pla- 
toons. Such problems address the control of the leader of a platoon in view of following 
the preceding platoon at a safe distance, tracking an optimal cruising velocity, and per- 
forming various platoon maneuvers. The platoon maneuvers that have been addressed are 
the platoon join, in which two or more adjacent platoons join to form a single platoon, the 
platoon split, in which a platoon splits in two, and the platoon lane change. Lygeros [22] and 
Lygeros et al. [26,27] used a game theoretic approach to prove that all platoon maneuvers 
are safe. Recently, Dolginova and Lynch [8] have used hybrid I/O automata to model and 


verify the safety of the platoon join maneuver. 


On a similar note, Weinberg [43] has analyzed a deceleration maneuver in which a discrete 
controller slows a train down to a target velocity range within a given distance. In further 
research, Weinberg et al. [42] have modeled the personal rapid transit system (PRT 20007™) 
under development at Raytheon Corporation and verified the correct operation of the emer- 
gency control components used to guarantee that the vehicles neither exceed a prespecified 


speed limit, nor collide among themselves. 


1.2 Automated Transportation Systems 


Among the hybrid systems that are being analyzed using formal methods, systems in trans- 
portation are particularly common. This is due to the fact that such systems are safety- 


critical and, therefore, their correct analysis and verification is of uttermost importance. 


An important feature of the design of the various autonomous transportation systems is 


Figure 1.1 Separation of system functionality into operation and protection. 


Operation Subsystem Protection Subsystem 


Physical Plant 


their absolute safety requirements. These requirements translate to stringent design crite- 
ria and have led to the complete separation of the system functionality into the parallel 
components of operation and protection as shown in Figure 1.1. The operation component 
is responsible for the “normal” control of the system and can be composed of complex soft- 
ware and hardware. The protection component is responsible for the “emergency” control 
of the system and is designed to be simple and reliable. In ordinary operation, the protec- 
tion component is not supposed to take any action — it merely monitors the system. In 
a potentially hazardous situation, however, the protection component must react strongly 
enough to guarantee that, regardless of the behavior of the operation component, the safety 
requirements are met. In the interest of making the protection component reliable, design- 
ers keep it simple; instead of having complex control abilities, the protection component 


depends only on the correct execution of a few decisive emergency commands. 


The separation of operation and protection functions is a generally recognized engineering 
paradigm for the design of safety-critical systems. In the realm of transportation systems, 
this structure was initially used in the design of railroad systems. Automatic safety systems 
were added to human-controlled railroad systems to protect against human error and me- 
chanical malfunctions. As railroad and mass transit systems have evolved to become more 
automated, this division of labor has been retained in the form of Automatic Train Op- 
eration (ATO) and Automatic Train Protection (ATP) systems. This paradigm occurs in 
most existing automated train systems, including the Washington Metro, the Miami People 
Mover, the O’Hare People Mover, the Detroit People Mover, and systems in Toronto, Van- 
couver, and Jacksonville. The use of this split migrated to automated vehicle transportation 
systems with the pioneering Morgantown PRT system in the late sixties; this system has 


been in continuous active use for over 20 years with no serious accidents. 


1.2.1 The PRT 2000™ 


Raytheon engineers are currently working on the design and development of a new personal 
rapid transit (PRT) system called PRT 2000™. This system uses 4-passenger vehicles that 


travel on an elevated guideway with Y-shaped merges and diverges. Passengers on this 
system board at stations and travel directly to their desired destination stations without 
intermediate stops. Compared to conventional transportation systems, the PRT 20007™ 
can provide shorter average trip times and shorter average waiting times with equivalent 
passenger throughput. These performance improvements are achieved because the vehicles 
are separated on the guideway by only a few seconds, instead of the minutes typical of 
a conventional transit system. The vehicles are controlled by a distributed network of 


computers, which receive data from sensors on the vehicles and in the tracks. 


Once again, the control of the PRT 2000™ is split into the Automated Vehicle Operation 
System (AVOS) and the Automated Vehicle Protection System (AVPS). The AVOS is in 
charge of the normal operation of the system and the AVPS is used to protect the system 


against hazards. 


1.2.2. Formal Modeling of the PRT 2000™ 


The safety-critical nature of the PRT 20007™ has lead to an interest in modeling its pro- 
tection system using formal modeling techniques from computer science. The advantage of 
using such modeling methods is twofold. First, they formalize the safety concerns addressed 
by the protection system and, second, they are used to prove the correctness of the protec- 
tion system at hand. The safety properties that are addressed are those of overspeed and 
collision avoidance, t.e., either the property that the vehicles comprising the system do not 
exceed the speed limit, or the property that they do not collide among themselves. These 
are by no means the only safety requirements enforced by the AVPS of the PRT 2000™, 


but they are among the most important and complex. 


The approach to modeling this automated transportation system is based on abstraction 
and modular decomposition. Abstraction is used to mask all inessential implementation 
details from the model of the system. Modular decomposition is used either to model 
each of the safety properties in isolation, or to model a particular safety property as the 
conjunction of several less complex safety properties. As shown in Figure 1.2, the protection 
system is defined as the composition of a set of simpler modules referred to as protectors. 
The composition of all these protectors results in a protection system that enforces the 
conjunction of the safety properties enforced by the individual protectors being composed. 
For instance, in the case of a protection system that prevents the vehicles from exceeding 
the speed limit, each of the protectors would correspond to protection subsystems that 
prevent individual vehicles from exceeding the speed limit. However, their composition 


would constitute an overspeed protection system for all the vehicles. 


This thesis extends the work by Weinberg, Lynch, and Delisle [42] on modeling the AVPS 
of the personal rapid transit system (PRT 2000™) under development at Raytheon Corpo- 


Figure 1.2 Modular decomposition of the AVPS of the PRT 2000™. 
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ration. Weinberg et al. [42] model the PRT 2000™ as a transportation system where: 


e vehicles are traveling on a single track, 

e vehicle velocities are non-negative, 

e vehicles can stop instantaneously, as if they could hit a brick wall, 
e collisions among vehicles are pairwise, 


e brakes are binary, ¢.e., the braking of a particular vehicle results in a vehicle deceler- 


ation equal to a prespecified value, 
e the acceleration is constrained to a particular range of values, and 


e the vehicle brakes comprise monotonic system constraints, i.e., the instruction of a 


vehicle to brake can never be revoked. 


In addition to the above assumptions, the communication among the various subsystems of 
the PRT 2000™ is assumed to be reliable, periodic, and timely. 


Weinberg et al. [42] verify the correctness of the overspeed and the collision protection 
subsystems. First, it is shown that the overspeed protector guarantees that none of the 
vehicles exceed the speed limit and that the collision protector prohibits vehicle collisions 
provided that none of the vehicles exceed the speed limit. Then using a one-way depen- 
dence protector composition theorem it is shown that the composition of the overspeed and 
collision protectors guarantees that the vehicles neither exceed the speed limit, nor collide 
among themselves. It should be noted that the model of the physical plant is simplified to 
the point that abrupt changes of the vehicle velocities, due to collisions for example, are 
not modeled. The advantage of this simplification is that the overspeed protector does not 


depend on the collision protector and, therefore, the one-way dependence protector com- 


position theorem suffices. The disadvantage is that the simplified model might not be a 


truthful representation of the real physical plant. 


In this thesis, we extend the protector composition results of Weinberg et al. [42] and relax 
their modeling assumptions about the PRT 2000™. Regarding the composition of protec- 
tion systems, we present theorems that dictate the conditions under which the composition 
of independent, one-way dependent, and even two-way dependent protectors guarantees the 
conjunction of the safety properties guaranteed by the individual protectors being com- 
posed. Regarding the transportation system model, two of the aforementioned assumptions 
are relaxed. First, the constraint on the track topology is gradually relaxed from that 
of a single track to that of a general track topology involving a directed graph of tracks 
comprised of Y-shaped merges and diverges. Second, the monotonicity constraint on the 
instruction of the vehicles to brake is relaxed such that the instruction of a vehicle to brake 
may be revoked, provided the vehicle in question is out of risk. Moreover, in an effort to 
truthfully model the transportation system, we extend the model of the physical plant to 
allow vehicle collisions that can adversely affect the velocity and the acceleration of the 
vehicles involved in a collision. Thus, since collisions may cause instantaneous jumps in 
vehicle velocities, the overspeed protector must require that no collisions ever occur in the 
physical plant; that is, the overspeed and the collision protectors are two-way dependent. 
Subsequently, it is shown that the two-way dependence composition conditions are met by 
the proposed overspeed and collision protectors and that their composition results in a pro- 
tection system that guarantees that the vehicles neither exceed the speed limit, nor collide 


among themselves. 


1.3. Thesis Overview 


In order for this thesis to be self contained, Chapter 2 gives a short and terse treatment of 
the hybrid I/O automaton model [30] and describes the conventions used in the specification 
of HIOA in this thesis. In order to facilitate the modeling of complex system properties, we 
introduce notation to allow the explicit restriction of the states of a hybrid I/O automaton 
to sets of states that are comprised of all states satisfying complex state properties of 
the HIOA. In Chapter 3, we present an abstract model of a physical plant interacting with 
various protection systems. Both the physical plant and the protection systems are modeled 
as hybrid I/O automata. Provided that protectors are independent, they can be composed 
and their composition guarantees the conjunction of the safety properties guaranteed by 
the individual protectors being composed. Under certain conditions, the same applies for 
the composition of protectors that rely on the correct operation of each other. The abstract 
protector is defined as the composition of a sensor automaton and a discrete controller 


automaton. The sensor samples the state of the physical plant at regular intervals of time 


and the discrete controller issues protective actions so as to guarantee that the physical 
plant exhibits a particular safety property. 

In subsequent chapters, we present a simple model of the PRT 20007™ and introduce over- 
speed and collision protectors. This is done for increasingly complicated track topologies. 
First we consider a single track, then a Y-shaped merge, and, finally, a general track topol- 
ogy comprised of Y-shaped merges and diverges. Chapter 4 defines a system of n vehicles 
traveling on a single track and Chapters 5 and 6 define its overspeed and collision protectors. 
Chapter 7 extends the model of the physical plant to involve a Y-shaped merge and defines 
a collision protector for the new model. Chapter 8 augments the model of the physical 
plant to involve a general track topology comprised of Y-shaped merges and diverges and 
defines a collision protector for the new model. In Chapter 9, we prove that the overspeed 
and collision protectors of the various track topologies can be composed so as to guarantee 
that the vehicles neither exceed the speed limit, nor collide among themselves. Finally, in 
Chapter 10 we give a summary of the thesis, an evaluation of the research presented, and 


directions in which such research could be extended or continued. 
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Chapter 2 


Hybrid I/O Automata 


The hybrid I/O automaton (HIOA) model [29,30] is based on the timed I/O automaton 
model [10, 11,33,34], but includes explicit treatment of continuous behavior. To make this 
thesis self contained, this chapter gives a complete but terse treatment of the HIOA model 
with an emphasis on those aspects used in subsequent chapters. The presentation follows 


precisely that of Lynch, Segala, Vaandrager, and Weinberg [30]. 


The chapter is organized as follows. We begin by defining auxiliary concepts and notation 
pertaining to functions, time, variables, valuations, and trajectories. We proceed to define 
hybrid I/O automata, hybrid executions, and hybrid traces. Next, we define a simulation re- 
lation between a pair of HIOA and the notion of HIOA composition. Finally, we describe the 
conventions used in the specification of HIOA in this thesis. In particular, we describe how 
states, discrete transitions, and trajectories of a HIOA are specified and how to explicitly 


restrict the states of a HIOA in view of enforcing complex state properties. 


2.1 Preliminary Mathematical Notation 


This section defines various auxiliary concepts and notation that are used in the definition 
of the hybrid I/O automaton model. 


Functions 


With dom(f) and range( f) we denote the domain and the range, respectively, of the function 
f. If f is a function and X a set, then we write f|X for the restriction of f to X, ie., 
the function g with dom(g) = dom(f)N X satisfying g(a) = f(x), for all « € dom(g). We 
say that two functions f and g are compatible if f[dom(g) = g[dom(f). If f and g are 
compatible functions, then we write fUg for the function h with dom(h) = dom( f)Udom(g) 
such that h(v) = f(z), if a € dom(f), and h(x) = g(«), otherwise, for all « € dom(h). More 
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generally, if F is a set of pairwise compatible functions then we write Userf for the 
unique function g with dom(g) = U; ¢p dom(f) such that g(x) = f(x), for all f € F and 
« € dom(f). If f is a function whose range consists of a set of functions and X is a set, 
then the projection f | X is the restriction of the functions in range(f) to the set X, i.e., 
the function g with dom(g) = dom(f) defined by g(a) = f(a)[X, for all « € dom(g). The 
projection operator | extends to sets of functions by pointwise extension. Also, if f is a 
function whose range consists of a set of functions that all have an element y in their domain, 
then the projection f | y is the function with domain dom( f) defined by f | y(z) = f(a)(y), 
for all « € dom(f). 


Time 


Throughout this thesis, we fix the time axis T to be a compact subgroup of (R,+), ie., 
the real numbers with addition. Henceforth, we exclusively use the set of real numbers R 
as the time axis. An interval T; is a non-empty convex subset of 7. As usual, intervals 
are denoted by [t1,¢2] = {t € T | t < t < ty}, ete. An interval 7; is right-open (left- 
open), if it does not have a maximum (minimum) element, and right-closed (left-closed), 
otherwise. We write max(7,) and min(7’,) for the maximum and the minimum elements, 
respectively, of the interval 7, (if they exist), and sup(7’;) and inf(7;) for the supremum 
and infimum, respectively, of the interval T, in TU {—oo, co}. For 7’ C T and t € T, we 
define T’ +t = {t/+t|t/ € T’}. Thus, for a function f with domain T’, we define f + t to 


be the function with domain T’ + t satisfying f + t(t’) = f(t’ — 1), for all t’ € T’ +t. 


Variables and Valuations 


We assume a universal set V of variables. Variables in V are typed, where the type of a 
variable, such as reals, integers, etc. is given by type(v); that is, type(v) is the domain over 
which the variable v ranges. Letting V C V, a valuation of V is a function that associates 
to each variable v of V a value in type(v). We adopt the convention that the set of all 
valuations of a set of variables V is denoted by V. Often, valuations of a set of variables V 


are referred to as states. 


Letting v € V and S', C type(v), we use the notation v :€ 5S, to denote the assignment of an 
arbitrary element of the set 5, to the variable v. Similarly, letting V C V and 5S, C V, we 
use the notation V :€ 5) to denote the assignment of an element of the set type(v) to the 
variable v, for each v in V, such that the resulting valuation of V is an arbitrary element 
of the set Sy. 


Let Z be a set of variables, z be a state of Z, and Z’ be a subset of Z, 2.6., 7 CV, 2 € Z, 
and Z' C Z. The restriction of the state z to the set of variables 7’, denoted by z[Z’, is 
defined to be the valuation z’ of the variables of Z’ in z. Letting X C Z, we say that X 
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is Z'-determinable if for all a € X and z € Z, such that ¢[Z’ = z[Z’, it is the case that 
z € X. Intuitively, if X is Z’-determinable then, for any state z in Z, the information 
provided by the restriction of the state z to the set of variables Z’ is sufficient to determine 
whether the state z is a member of the set X. In other words, the information provided by 
the restriction of the state z to the set of variables Z — Z’ is irrelevant in the determination 
of whether the state z is a member of the set X. Moreover, if X is Z’-determinable and 
z' € Z', we use the notation z’ € X to denote that there exists a state « € X such that 
x[Z' = 2’. In fact, since X is Z’-determinable, the existence of a state x € X such that 


z[Z' = z' implies that for all states z € Z such that z[Z’ = 2’ it is the case that z € X. 


Trajectories 


A trajectory over a set of variables Z is a function w: 7, — Z, where T; is a left-closed 
interval of T with left endpoint equal to 0. A trajectory represents the evolution of the 
valuations of the variables in Z within a 7; interval. With dom(w) we denote the domain 
of w and with trajs(Z) the collection of all trajectories over Z. A trajectory w with domain 


T;, is often referred to as a T;-trajectory. 


A trajectory w is closed, if its domain is a (finite) right-closed interval, and full, if its 
domain equals 72°. For W a set of trajectories, Closed(W) and Full(W) denote the subsets 
of closed and full trajectories in W, respectively. If w is a trajectory, then the limit time of 
w, denoted by w.ltime, is defined to be the supremum of dom(w). A trajectory w is finite 
if w.ltime £ oo. We define the first state of a trajectory w, denoted by w.fstate, to be the 
state w(0). Moreover, if the domain of a trajectory w is right-closed, then we define the last 
state of w, denoted by w.lstate, to be the state w(w.ltime). A trajectory with domain [0,0] 
is called a point trajectory. If s is a state, then we define g(s) to be the point trajectory 
that maps 0 to s. 


A 


For a trajectory w and t € T2°, we define w Jt = w [ [0,t] and w <t Sw [ [0,t). It is 
important to note that w < 0 is not a trajectory. By convention, w < oo 2Swdaoltw. 
Similarly, if w is a trajectory and T;, is a left-closed interval with min(7,) € dom(w), then we 
define the curtailment of w to T;, denoted by w{T,, to be the trajectory (w/T,)—min(T,), 
or equivalently the trajectory w’ with domain (7, M dom(w)) — min(77) defined by w(t’) = 
w(t’ + min(7)), for all t! € dom(w’). 

If w is a trajectory over Z and Z’ C Z, then the projection w | Z' is the trajectory over Z’ 
with domain dom(w) defined by w | Z’ (t)(z') = w(t)(z’), for all 2’ € Z’. The projection 
operation is extended to sets of trajectories by pointwise extension. Also, if w is a trajectory 
over Z and z € Z, then the projection w | z is the function from dom(w) to the domain of 


z defined by w | z (t) = w(t)(z). 


If w is a finite trajectory with domain 77, w’ is a trajectory with domain 77, and w.lstate = 
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w’ fstate if w is closed, then we define the concatenation of w and w’ to be the trajectory 
wow! = wU (w! + w.ltime). We extend the concatenation operator to an infinite sequence 
of finite trajectories wow ,w2---. If w;.lstate = w;4,.fstate, for each trajectory pair w; 
and wj41, for « € N, in which the trajectory w; is closed, then we define the infinite 
concatenation of the infinite sequence of finite trajectories wow ,w2--- to be the trajectory 
Wo 7 WL Wa... = U; 5 en (wi t+ ici w;.ltime). 

A trajectory w is a prefix of a trajectory w’, denoted by w < w’, if w = w’[dom(w); that 
is, either w = w’, or w’ = w~ w", for some trajectory w”. With Pref(W) we denote the 
prefie-closure of W: Pref(W) = {w | Jw’ €W:w < w'}. A set W is prefix closed if 
W = Pref(W). A trajectory in W is maximal if it is not a prefix of any other trajectory in 
W. We write Max(W) for the subset of maximal trajectories in W. 


2.2. The Hybrid I/O Automaton Model 


A hybrid I/O automaton A = (U,X,Y,5'",u'™, Se, 0,D,W) consists of the following 


components: 


e Three disjoint sets U, X, and Y of variables, called input, internal, and output vari- 


ables, respectively. 


Variables in EF = UUY are called external, and variables in L = X UY are called local. 


We write V =U UL and let s,u, and w range over V, U, and trajs(V), respectively. 


e Three disjoint sets H’", Y'*, and Ne of actions, called input, internal, and output 


actions, respectively. 


We assume that %’” contains a special element e, the environment action, which rep- 
resents the occurrence of a discrete transition outside the system that is unobservable, 
except (possibly) through its effect on the input variables. Actions in S@* = yinuyout 
are called external, and actions in ¥!°° = yint Uy are called locally controlled. We 


write © 2 yi" Uv! and let a range over ¥. 


e A non-empty set O C V of initial states satisfying: 


Init (initial states closed under change of input variables) 


se€O = 48 €O0: (s'[U=u) A (s'[Y =8[Y) 


e AsetDCVx x V of discrete transitions satisfying: 


D1 (input action enabling) 


aeyn™ = Js EV: 54,5 
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D2 (environment actions that do not change inputs do not affect the state) 
(s—>, 8’) A (s[U =s'[U) = (s=s') 

D3 (discrete transitions do not depend on input variable changes) 
(s,s) = As" EV: (s— >, 8") A (s"[U =u) A (8"[¥ =8'[Y) 


For any discrete transition (s, a, s’) of the automaton A, i.e., (s,a,s’) € D, the states s 
and s’ are referred to as the pre-state and post-state, respectively, of the discrete 
transition (s,a,s’). Moreover, as in the above treatment, we often use the notation 
s—+, s’ to denote that (s,a,s’) is a discrete transition of the automaton A, i.e., 
(s,a,s’) € D. 


e A set W of trajectories over V satisfying: 


T1 (existence of point trajectories) 
p(s)eW 
T2 (closure under subintervals) 
weéeEW A (T, left-closed subinterval of dom(w)) => wtT,¢€W 


T3 (completeness) 
(VteT2°:wit[0,tqdew) = wew 


The intuition captured by Axioms Init and D1—D3 is that a HIOA is responsible for per- 
forming locally controlled actions and for modifying the values of its local variables, whereas 
the environment of a HIOA is responsible for performing input actions and modifying the 


values of the input variables. 


Axiom Init says that a system may not constrain the initial values of its input variables. 
Thus, if we change the input variables of an initial state, then there is a way to change 
the internal variables as well (while leaving the output variables unchanged) so that the 


resulting state is an initial state also. 


Axiom D1, which is simply the hybrid extension of the input enabling axiom from the 
(untimed) I/O automaton model [11,32,34], says that a HIOA should accept all input 
actions in all states. Axiom D2 postulates that an environment action that does not affect 
the input variables can not be “detected” by the automaton and, therefore, leaves the state 
unchanged. Axiom D3 states that there is no functional dependence between the input 
and the output variables of a HIOA during a transition; that is, a HIOA can not react 
instantaneously to an input variable change. If there is an a-step from a state s to a state 
s', then, for any valuation u of the input variables, there also exists an a-step from s to a 
state s” with an input part u and an output part equal to that of s’. The internal variables of 
s’ and s” need not have the same values, since otherwise it would not be possible for a HIOA 
to record all the discrete changes in its input variables. The technical use of Axiom D3 is 


to avoid cyclic constraints during the interaction of two systems. In this way, we can show 


15 


that the composition of two HIOA is still input enabled and that the environment can never 


block the output actions of a system. 


Axioms D2 and D3 imply that the environment action e can never affect the output vari- 
ables of a HIOA. Consider any transition (s,e,s’) € D and suppose that s’/Y 4 s[Y. 
Letting u = s[U, Axiom D3 implies that there exists s” € V such that (s,e,8”) € D, 
s"(U = s[U, and s"[Y = s'[Y. Since s’[U = s[U and s"[Y 4 s[Y, Axiom D2 is violated. 
Therefore, it follows that there does not exist (s,e,s’) € D such that s’[Y #s[Y. 


Axioms T1—T3 state some natural conditions on the set of trajectories needed to set up 
our theory: existence of point trajectories, closure under subintervals, and the fact that a 


full trajectory is in W if and only if all its prefixes are in W. 


The Axiom Init and the Axioms D1—D3 that are presented here are slightly different from 
the respective axioms introduced in the preliminary version of the HIOA model [29]. The 
new axioms allow a HIOA to change the values of its internal variables if the environment 
modifies the input variables of the HIOA. 


Notation Let A be a HIOA as described above. If s © V and! € EL, then we write 
, & and s’[L =1. Henceforth, 
the components of a HIOA A will be denoted by V4, U4, a, O4, etc. Moreover, the 
components of a HIOA A; will also be denoted by V;, U;, %;, Oj, etc. 


s—>, lif and only if there exists an s’ € V such that s > 


2.3. Hybrid Executions 


A hybrid execution fragment a of a HIOA A is a finite or infinite alternating sequence 


Q = Woa,W1dgW2---, where: 


1. Each w; is a trajectory in Wy and each a; is an action in “iy. 
2. If a is a finite sequence then it ends with a trajectory. 


3. If w; is not the last trajectory in a then its domain is a right-closed interval and it is 


the case that w;.lstate — Wi41.fstate. 


An execution fragment records all the discrete changes that occur in the evolution of a 
system, plus the “continuous” state changes that take place in between. The third item 
says that the discrete actions in a span between successive trajectories. We write h-frags( A) 


for the set of all hybrid execution fragments of A. 


If @ = woa,wyagw2--- is a hybrid execution fragment, then we define the limit time of a, 
denoted by a.ltime, to be 0; ¢y wi.ltime. Further, we define the first state of a, denoted 
by a.fstate, to be wo.fstate. 
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We distinguish several sorts of hybrid execution fragments. A hybrid execution fragment a 


is defined to be 


e an execution if the first state of a is an initial state, 7.e., a.fstate € Ou, 


e finite if @ is a finite sequence and the domain of its final trajectory is a right-closed 


interval, 
e admissible if a.ltime = ow, 
e Zeno if ais neither finite nor admissible, and 


e a sentence if a is a finite execution that ends with a point trajectory. 


If @ = wWodyWy +++ An W, is a finite hybrid execution fragment then we define the last state 
of a, denoted by a.lstate, to be w,./state. A state of A is defined to be reachable if it is the 


last state of some finite hybrid execution of A. 


A finite hybrid execution fragment a = woa,wya2w2---a,w, and a hybrid execution frag- 
ment a’ = woajwiaw--- of A can be concatenated if wy, ~ w6 is defined and is a trajectory 


of A. In this case, the concatenation a~ a’ is the hybrid execution fragment defined by 


a” al = wod wy agwy+++Gpn(Wy~ Wo )aywyagwy--- 


Let a and a’ be hybrid execution fragments of a HIOA A. We say that a’ is a prefix of a’, 
denoted by a’ < a, if either a’ = a, or there exists some execution fragment a” of A such 


that a’ ~ a” =a. 


A variable v of a HIOA A is called continuous if v is not modified by any discrete steps of 
A and for all trajectories w of A, w | v is a continuous function. Let a@ = woaywyagw2--- 


be a hybrid execution fragment of A. Then we define a | v as follows: 


alv=(wolv)” (wilv)~ (wel v)... 


Theorem 2.3.1 [fv is a continuous variable of a HIOA A and a is an execution fragment 


of A, then a | v is a continuous function. 


If @ = woa,wyagw2... is a hybrid execution fragment of a HIOA A and ZC V thena | Z 
is defined to be the sequence (wo | Z)ai(wi | Z)ag(we | Z).... 


A superdense time in an execution fragment @ = woa,w agw2... of a HIOA A is a pair 
(2,t), where t < w;.ltime. We totally order superdense times in the execution fragment a 


lexicographically. 
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An occurrence of a state s in an execution fragment a = woa,wyagw2... of a HIOA A 
is a triple (i,t, s) such that (7, ¢) is a superdense time in a and s = w;,(t). We order state 


occurrences in a according to the order of their superdense times. 


If S' is a set of states and a is an execution fragment, then past(.S,a) is the set of state 
occurrences (2,t,5) in a such that either s € S or there is a previous state occurrence 


(i’,t’,s’) in a with s’ eS. 


2.4 Hybrid Traces 


Suppose @ = wod,wya2w2--- is a hybrid execution fragment of A. In order to define the 


hybrid trace of a, let 


7 = (wo | Fa)vis(ay)(w1 | E4)vis(az)(we | Fa)---, 


where, for any action a of A, vis(a) is defined equal to 7 if a is an internal action or an 
environment action e, and equal to a otherwise. Here 7 is a special symbol which, as in the 
theory of process algebra, plays the role of the “generic” invisible action. An occurrence of 
T in ¥ is called inert if the final state of the trajectory that precedes the 7 equals the first 
state of the trajectory that follows it (after hiding of the internal variables). The hybrid 
trace of a, denoted by h-trace(a), is defined to be the sequence obtained from 7 by removing 


all inert 7’s and concatenating the surrounding trajectories. 


The hybrid traces of A are the hybrid traces that arise from all the finite and admissible 
hybrid executions of A. We write h-traces(A) for the set of hybrid traces of A. 


The HIOA A, and A» are comparable if they have the same external interface, z.e., Uy = Ua, 
Y, = Yo, yin = yin, and pg = ys". If Ay and A» are comparable, then A, < Ag is 
defined to mean that the hybrid traces of A; are included in those of Ag; that is, Ay < 
Ay = h-traces( A1) C h-traces( Ag). If Ay < Ag, then we say that A, implements Ap. 


2.5 Auxiliary HIOA Definitions 


Given a HIOA A, we use the notation states( A) to denote the state space of the automaton 
A, i.e., states(A) = Vy. If R is a subset of the set of states states(A) of the automaton A 
and s,s’ € R, then we say that s’ is R-reachable from s, denoted by s ~+R 8’, provided that 
there is a hybrid execution fragment of A that starts in s, ends in s’, and all of whose states 
are in the set R. We say that s’ is reachable from s, denoted by s ~ s’, provided that s’ is 
R-reachable from s, where R is the set of all states of the automaton A, i.e., R = states( A). 


When analyzing a HIOA A, it is often useful to define derived variables for A. Such variables 
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are functionally dependent on the variables of the automaton A and, although useful in the 


analysis of A, are not essential in its definition. 


If s is a state of a HIOA A and z is a variable of A, 7.e., s € states(A) and z € Va, then 
s.z denotes the value of the variable z in the state s. In terms of valuations, s.z is the 


restriction of the valuation s to the element z, i.e., s.z = s[z. 


If f is a function to states of a HIOA A and Z is a subset of the variables of A, .e., 
range( f) = states(A) and Z C Vag, then f | Z is the projection of f onto the variables in 
Z, i.e., the function g with domain dom(f) and range equal to the set of valuations of Z, 
defined by: g(s)(z) = f(s)(z), for all s € dom(f) and z € Z. In the special case where Z is 
a singleton set {z}, i.e., Z = {z}, we write f | z as shorthand for f | Z. 


2.6 Simulation Relations 


Let A and B be comparable HIOA. A simulation from A to B is a relation R C V4 x Vg 


satisfying the following conditions, for all states r and s of A and B, respectively: 


1. If r € Oy, then there exists s € Op such that r R s. 


2. Ifr—+, r’ andr R s, then B has a finite execution fragment a with s = a.fstate, 


h-trace(o(r) a e(r’)) = h-trace(a), and r’ R a.lstate. 


3. If r Rs and w is a closed trajectory of A with r = w.fstate, then B has a finite exe- 


cution fragment a with s = a.fstate, h-trace(w) = h-trace(a), and w.lstate R a.lstate. 


Theorem 2.6.1 If A and B are comparable HIOA and there is a simulation from A to B, 
then A < B. 


2.7 Composition 


We say that the HIOA A; and Ag are compatible if, for i,j € {1,2},14 9, 


sint a) 71 t 71 t 
X;0Vj)=Y¥iN¥;) = VP" ay; = VP Ae = O. 


If Ay and Ag are compatible then their composition A, x Ag is defined to be the tuple 
A=(U,X,Y,5'", b'™, Ne“, D, W) given by 


e U = (U,U U2) — (YU Y2), X = XU Xo, Y = NY UY2 


er (i" U oS") _ (sot U ys"), yent = ye U oy, yout = pg U yu 
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© O={sEV]s[V € O01 A s[V2 € Oo} 


e Define, for 2 € {1,2}, projection function 74, : 4 — %; by m4,(a) 2a, ifa€ Yj, and 
r4,(a) = €, otherwise. Then D is the subset of V x © x V given by 


TAY (a) T Ao (a) 


(s,a, 8’) eD=> s[Vy ——— ay s'TVy A s[V2 Ap s'|V2 


e W is the set of trajectories over V given by 


wEewwIlYyew, Awl € We 


Notation We extend the projection notation 74,, for i € {1,2}, to states, trajectories, 
discrete actions, hybrid executions, and hybrid traces in the obvious way. If s, w, and a 
are a state, a trajectory, and a discrete action of the automaton A = A; x Ag, then the 
respective projections 74,, for i € {1,2}, are defined as 74,(s) = s[Va, 74,(w) = w | Va, 
and 74,(a) = aifa€ Ny and 74,(a) = € otherwise. Also, if a = woa,wia2--- is a hybrid 
execution of the automaton A = A, Xx Ag, then the projection 74,, for i € {1,2}, is defined 
as 74,(@) = 74,(wWo)W4,(@1)74,(W1)74,(G2)---. Moreover, if 7 is the hybrid trace of a, then 
mA4,(7) is the sequence obtained from (wo | 4, )visa,(a1)(wi | Fa, )visa,(a2)(we | Ba,)--- 


by removing all inert 7’s and concatenating the surrounding trajectories. 


Proposition 2.7.1 If A, and Ag are compatible HIOA, then their composition A, x A» is 
a HIOA. 


Lemma 2.7.2 Let A = A, X Ag, and let a be a hybrid execution of A. Then it is the case 
that 7 4,(h-trace(a)) = h-trace(m4,(a)), for i € {1,2}. 


Lemma 2.7.3 Let A = A, x Ag. Then it is the case that h-traces(A) = {7 | 74, (7) € 
h-traces( A;), fori € {1,2}}. 


Theorem 2.7.4 Suppose A,, Ao, and B are HIOA with A, < Ag, and each of Ay and Ag 
is compatible with B. Then Ay x B < Ao x B. 


2.8 HIOA Specification Conventions 


In this section we describe the conventions used in the specification of a HIOA A in this 
thesis. In particular, we describe how the states, the discrete transitions, and the trajectories 
of A are specified and introduce notational shorthand used to specify concisely complex state 


properties of A. 
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2.8.1 State Specification 


Since the states of A are the set of valuations of its variable set V4, the states of A are 
specified by simply defining the domain over which each variable in V4 ranges. Thus, the 
states of A are specified by a list of all input, internal, and output variables together with 
the domain over which each respective variable ranges. Similarly, the set of start states of 
A is specified by stating the set of values that each variable in V4 can initially assume. It is 
important to note that, by Axiom Init of the HIOA model, each input variable u of A may 
initially assume any value in type(u); that is, the set of values that each input variable w of 


A can initially assume is the set type(w). 


2.8.2 Discrete Transition Specification 


The set of discrete transitions of A is specified by collectively describing all discrete transi- 
tions involving each action a in M4 in precondition-effect format. This format is comprised 
of a label, a precondition, and an effect clause. The label corresponds to the label of the 
action a. The precondition is a predicate over the variables of A and specifies the conditions 
under which the action a is enabled; that is, the precondition defines the set of states in 
which the action a may be scheduled. It is important to note that an action ain “iy is not 
necessarily scheduled whenever it is enabled. The effect clause specifies the pseudo-code 
that must be applied to the pre-state of a discrete transition involving the action a so as 
to yield the post-state of the discrete transition. It follows that, in order for (s,a,s’) to 
be a discrete transition of A, the precondition in the specification of the action a must be 
satisfied by the pre-state s. Moreover, the application of the pseudo-code in the effect clause 


of the specification of the action a to the pre-state s must yield the post-state s’. 


The convention used in this thesis is that for any particular discrete transition (s,a,s’) of 
A, the statements in the pseudo-code of the effect clause of the specification of a are applied 
sequentially to the state of A starting from the pre-state s. However, the effect clause in 
the specification of any action a of A is assumed to be executed indivisibly. Therefore, the 
execution of the action a in the state s represents a single transition from the pre-state s 
to the post-state s’. In order to be able to write effect clause pseudo-code involving the 
valuation of the variables of A in the pre-state, we adopt the convention that the value of a 
particular variable v of A in the pre-state s may be referred to as Vp;-e. Similarly, the value 


of the variable v in the post-state s’ may be referred to as Upost- 


Throughout this thesis, we adopt the convention that if the effect clause in the specification 
of an action a of A does not affect a local variable v, for any v € Ly, the value of v in the 
post-state of any discrete transition involving the action a is equal to its value in the pre- 
state, 2.€., Upost = Vpre. Moreover, in order to conform to Axiom D3 of the HIOA model, we 


adopt the convention that the effect clause in the specification of each action a of A must 
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assign to each input variable u of A an arbitrary value in type(w); that is, the effect clause 
in the specification of the action a must include the assignment statement w:¢€ type(u). In 
fact, we adopt the convention that such assignments precede any other statements in the 
effect clause of the specification of the action a. Obviously, if the automaton A has no input 


variables, 7.e., U4 = 9, no such assignments are specified. 


Axiom D1 of the HIOA model defines HIOA to be input-enabled; that is, a HIOA is not 
capable of blocking the scheduling of its input actions. It follows that, each input action a of 
A is enabled in each state s of A. A consequence of this characteristic is that the precondition 
in the specification of each input action a of A is the trivial predicate True. Throughout 
this thesis, we adopt the convention that the precondition clause in the specification of any 
input action a of A is omitted; that is, the specification of each input action a of A is only 


comprised of the label and the effect clause of the action a. 


The environment action e, which is considered an input action, allows the occurrence of a 
discrete transition in the external environment that is unobservable by A except (possibly) 
through its effect on the input variables of A. Environment actions are considered input 
actions because HIOA have no control over their external environment and, therefore, envi- 
ronment actions are enabled in all states. Thus, following the convention for input actions, 
the precondition clause in the specification of the environment action e is omitted. More- 
over, according to Axioms D2 and D3 of the HIOA model, a discrete transition involving 
the environment action e can only affect the input and the internal variables of A. In fact, 
according to Axioms D2 of the HIOA model, a discrete transition involving the environ- 
ment action e can affect the internal variables of A only if the input variables are also 
affected. Therefore, the effect clause in the specification of the environment action e must 
be such that the internal variables are affected only if the valuation of the input variables 
in the post-state differs from their valuation in the pre-state; that is, for all (s,e,s’) € D, 
it is the case that if s[X4 4 s’[Xy4 then s[U4 # s'[U4. If the automaton A has no input 
variables, then the environment action e cannot affect its state; that is, if U4 = 0 then for 
all (s,e, 5’) € D it is the case that s = s’. In such cases, the environment action e is referred 
to as stuttering and the effect clause in its specification is comprised of the single statement 
“None”. Often, when the environment action e does not affect the internal variables of a 
HIOA, or when the environment action e is stuttering, its specification is omitted. Thus, 
if the environment action e is omitted from the specification of a HIOA A, then it follows 
that the environment action e assigns arbitrary values to the input variables of A and does 
not affect the internal variables of A. Obviously, when the HIOA A has no input variables, 


the environment action e omitted in the specification of A is stuttering. 
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2.8.3 Trajectory Specification 


The set of trajectories of A is specified by pseudo-code which describes the properties that 
any trajectory w involving the variables in the variable set of A must satisfy in order to be 
a trajectory of A. Thus, the trajectory pseudo-code consists of a collection of predicates all 
of which must be satisfied throughout any trajectory w of A. Since HIOA have no control 
over their input variables, the trajectory specification of A must not constrain its input 
variables. Thus, we adopt the convention that the trajectory specification of A includes a 
clause for each input variable uw of A stating that the input variable uw assumes arbitrary 
values in type(u) throughout each trajectory w of A. Obviously, if the automaton A has no 
input variables, 7.e., U4 = 9, no such clauses are specified. In contrast to the convention 
used in the specification of actions, if a particular local variable v of A is not constrained 
in the trajectory specification of A, then its value may assume arbitrary values in type(v). 
Therefore, in order to specify that the value of the local variable v of A remains constant 


throughout each trajectory w of A, an explicit statement stating so must be used. 


2.8.4 State Restriction 


In the specification of a HIOA, it is often unwieldy to explicitly enforce complex state prop- 
erties. In view of this specification inefficacy, we allow the enforcement of state properties 
through the restriction of the states of a HIOA to property sets. A property set P of A is 
a set of states of A that is comprised of all the states of A that satisfy a particular state 
property. The state property described by the property set P may be enforced through the 
use of “subject to P” clauses in the specification of either the initial states, the actions, or 
the trajectories of A. In the specification of the initial states of A, a “subject to P” clause 
signifies that all of the initial states of A are in the set P. In the specification of the actions 
of A, a “subject to P” clause in the effect clause of an action a signifies that the post-state 
of each discrete transition involving the action a is in the set P. Finally, in the specification 
of the trajectories of A, a “subject to P” clause signifies that all the states involved in each 
trajectory of A are in the set P. In the case of trajectories, such a clause may be interpreted 
as choosing the local variables of A that are unconstrained by the trajectory specification 


so that the states involved in the trajectory are in the set P. 


Often, we collectively specify all complex state properties of a HIOA A using a single 
property set. This property set is distinct for each HIOA and is referred to as the set VALID 
for the particular HIOA at hand. 
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Chapter 3 


Abstract Physical Plant and 
Protector Models 


This chapter is split into two parts. In the first part, we define an abstract model of a physical 
system that is comprised of a physical plant and a protection system. The protection system 
is modeled as a set of protectors that are communicating with the physical plant through 
distinct communication channels, or ports. These channels are used to sample and to control 
the state of the physical plant. Both the physical plant and the protectors are modeled as 
HIOA. It is shown that under certain conditions protectors can be composed such that 
their composition ensures the safety properties guaranteed by the individual protectors 
being composed. In the second part, we give an abstract model of a protector. The model 
is parameterized by the physical plant and various sets of states of the physical plant which 
describe the properties assumed and guaranteed by the abstract protector. The protector is 
defined as the composition of a sensor automaton and a discrete controller automaton. The 
sensor automaton samples the output state of the physical plant at a given sampling rate. 
The discrete controller automaton determines which protective action must be scheduled in 
order to ensure the safety of the physical plant up to the next sampling point. To conclude, 


the proposed abstract protector is shown to be correct. 


3.1 Protected Plant Systems 


In this section, we present an abstract model of a system consisting of a physical plant and 
a set of protectors. The model is abstract in that it does not specify any of the details 
of the physical plant — for instance, it does not specify that the plant includes vehicles 
and tracks. We also define what it means for a protector responsible for guaranteeing a 


particular property, i.¢., a protector used to avoid a particular mishap, to be correct. 


25 


3.1.1 Physical Plant Automata 


Let J be a set of ports. A physical plant automaton PP for J is defined to be a hybrid I/O 
automaton (HIOA) in which: 


1. The input action set ye is partitioned into subsets Bp,» one for each port 7. 
2. The output action set UY is partitioned into subsets UEP, one for each port 7. 


3. The input variable set Upp is partitioned into subsets Upp,, one for each port 7. 


We use the letter p to denote a state of PP and P to denote a set of states of PP. 


3.1.2 Protector Automata 


Let PP be a physical plant automaton with port set J, and let K C J. A protector 
automaton A for the physical plant PP and the port set A is a HIOA that is compatible 
with PP, and that satisfies the following conditions: 


1. Its output actions are exactly the input actions of PP on ports in K. 
2. Its output variables are exactly the input variables of PP on ports in K. 


3. All its input actions and input variables are outputs of PP. 


Lemma 3.1.1 Suppose that A, and A» are protectors for PP, with respective port sets Ky 
and Ky, where Ky Ky = 9. If Ay and Ag are compatible then their composition A, X Ag 
is a protector for PP with port set Ky U Ko. 


Proof: Since A; and Az are compatible, Proposition 2.7.1 implies that A; x Ag is a HIOA. 
Moreover, since A; and Ag are compatible with PP it follows that A, x A» is compatible 
with PP also. Therefore, it remains to be shown that the HIOA Aj, x Ap» satisfies the three 


protector conditions presented above. 


To begin, since the protectors A, and Ay communicate with the plant PP through the port 
sets Ky and Ko, respectively, their composition A, x Az communicates with the plant PP 


through the port set Ay U K2. Therefore, there are three conditions to check: 


1. The output actions of A, x Az are exactly the input actions of PP on ports in KyU Ko. 


Since, the HIOA A, and A: are protectors, it is the case that their output actions are 
exactly the input actions of PP on the port sets Ky, and Ko, respectively. However, 
from the composition of the protectors A, and Ag, it is the case that ee Ay = 
wet U ae Therefore, it trivially follows that the output actions of A, x A» are 


exactly the input actions of PP on ports in Ky U Ko. 
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2. The output variables of A, x Ag are exactly the input variables of PP on ports in 
Ky U Ko. 
Since, the HIOA A, and A: are protectors, it is the case that their output variables are 
exactly the input variables of PP on the port sets Ay and Ko, respectively. However, 
from the composition of the protectors A; and Ag, it is the case that Yq Ay = 
ye U yu. Therefore, it trivially follows that the output variables of A, x Ag are 
exactly the input variables of PP on ports in Ky U Ko. 


3. All the input actions and input variables of A; x Ag are outputs of PP. 


From the composition of the protectors A, and Ag, it is the case that OP i Ap = 
(Sy UNE) — (att u Ne) and Ua, xa, = (Ua, UU.) — (Va, U Ya, ). However, since 


the HIOA A, and Ap are protectors, their output actions and output variables are 


inputs to the PP automaton. Therefore, it is the case that Ot Ap = oy U ye and 
U4, xAp = U4, UU s,. It trivially follows that the input actions and input variables of 
Ay, X Ag are outputs of PP. 


3.1.3. Protected Plant Systems 


A protected plant system is the composition of a physical plant automaton PP and a set 
of protector automata. If s is a state of a protected plant system and P is a subset of the 
states of PP, we often write s € P as shorthand for s[PP € P. That is, we extend the 
definition of the set P to include states of the protected plant system that project to give 
PP states in P. 


3.1.4 Substitutive and Compositional Correctness 


Let S, R, and G be particular sets of states of PP. We say that a protector automaton A for 
PP and ports K guarantees G in PP from S$ given R provided that every finite execution 
of the composition PP x A starting in a state in S$ that only involves states in R ends in a 
state in G. It is important to note that the first state of every such finite execution is in 
the set Oppy4 95. In the special case where R is the set of all states of PP, we sometimes 
omit explicit mention of R. Moreover, we often omit mention of PP when the physical plant 


automaton is clear from context. 


It is important to note that the definition of “guarantees” includes consideration of finite 
executions in which arbitrary inputs can arrive at PP on ports other than those in kK. The 
protector definition infers that regardless of what inputs occur on those ports, the protector 


A still guarantees G in PP starting from S$ given R. 
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The following substitutivity theorem states that an implementation of a correct protector is 


itself a correct protector. 


Theorem 3.1.2 Let A, and A» be two protector automata for the same port set K, and 
suppose that Ay < Ag. If Ap guarantees G in PP from S given R, then A, guarantees G in 
PP from S given R. 


Proof: Let app, 4, be any finite execution of the automaton PPx A that starts in a state in 


the set S' and is restricted to states in the set R. We must show that tpp(@pp, 4, -Istate) € G. 


Let app be the projection of app, 4, to the PP automaton and a,, be a finite execution of 
Ag such that h-trace(ay,) = h-trace(m4,(App, 4,))- Adding environment actions appropri- 


ately to app and a,y,, we obtain two new finite executions a'pp = werarrwrrarr wh? ... 


and aly = we? at? wer ag? wi? - of PP and Ag, respectively, such that w??ltime = 
w?? time, for all i € N, and either af? = ae, or af? = € or a? = e, for all i € Nt. 
The addition of environment actions to app and a4, is intended to generate two new finite 
executions a’pp and aly, of PP and Ag, respectively, in which the limit times of the trajec- 
tories in a’pp and aly, are equal, the actions in app and a,, shared by PP and A» appear 
in both hybrid executions app and a's, the internal actions of PP and the input actions 
of PP on ports other than port 7 appear as environment actions in an and the internal 
actions of Ay appear as environment actions in app. Also, it is important to note that all 
the environment actions added to app and ay, to obtain app and a's, respectively, corre- 
spond to inert 7’s and do not appear in the hybrid traces h-trace(a'pp) and h-trace(a',, ), 


i.e., h-trace(a'pp) = h-trace(tpp(Q pp, 4, )) and h-trace(aly,) = h-trace(m 4, (App, 4, ))- 


Let a; = woa,wydgw2---a;w;, for some 2 € N, be a finite hybrid execution comprised of 
a collection wo, wy ,wW2,...,w; of trajectories of PP x A» and a collection a1, a2,...,a; of 
actions of PP x A», such that: 


1. Q; = Woda, wyagw2---aj;w; is a hybrid execution of PP x Ao, 


— a pPP,PP,,,PP,PP,,,PP PP,,,PP 
2. Tpp(a;) = wo’ ay? wy ah wi ---ae ws", and 


Ag Ao, Ao 


on Az ,,,A2 A2,,,A2 
3. 14,(Q;) = Wo? ay? wy rag? we? sas we?. 


4 


By induction on the length i of the finite execution a;, we show the existence of a;, for all 
iz € N, and, moreover, the existence of a finite execution @ = wod,wydgw2--- of PP x Ag 
comprised of a collection wo, w1, W2,... of trajectories of PPx Az and a collection a1, a,... 


of actions of PP x Ag, such that tpp(@) = a’pp and 74,(@) = a'y,. 


For the base case, consider the finite execution ag = wo of length 0. Since h-trace(a‘pp) = 
h-trace(™pp(Qppy 4, )), h-trace(aly,) = h-trace(74,(@pp, 4,)), and we? Itime = w0? .Itime, 
it follows that w)?(t)(z) = wi? (t)(2), for all z € EppN Ey, and t € [0, w2?.ltime]. Thus, 
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the valuations of weP and we are compatible, for all t € [0, we? time), and the trajectory 


wo with domain [0, we? Itime] can be defined as wo = weP U we, By the definition of wo, 
it follows that tpp(wo) = we? and 74,(wo) = wi?. Moreover, these two conditions imply 


that wo is a hybrid execution of PP x Ag. 


For the inductive step, assuming that the finite execution a, satisfies the Properties 1, 2, 
and 3, for 7 = k, we must show that there exists a finite execution az41 that satisfies the 
Properties 1, 2, and 3, fore =A+1. Let agg, = ant ys if ape Ze, and ag41 = a4, oth- 
erwise. Since h- trace app) = h- irace("PP(ppx.a,)) h-trace(aly,) = h-trace(7,(Appy 4, )); 
and wh? time = wee, ltime, for all i’ € N, it follows that (wéPaPPwh?.--afPuoPP all, 
(wht, -[state)).ltime = (wi? at? wie .. af? wy? ag? (wee, .fstate)). itime and wht, (t)(z)= 
wy? y(t )(z), for z € Epp Eg, and t € [0,wif).ltime]. Thus, the valuations of wif, 


and wees are compatible, for all t € 0, wha. itime, and the trajectory wr41 with domain 


[0, wif .ltime] can be defined as wz41 = whit U wees. By the definition of az41 and we41 
it follows that tpp(p(wp.lstate)acgi wey1) = (wp? lstateaht, wif, and 14, ((wp.lstate) 
Ak41Wkt1) = (wz? Istate)ay?, wi? Thus, from the induction hypothesis it follows that 
the finite hybrid execution ag41 = wodywiagw2-+-ag(we Cerne Stat) aaa ee = wad Wy 
dW *+Ap41Wk41 satisfies the conditions tpp(agy,) = whPaPPwl? . Ot Wh and 
TA, (Qk41) = we? at? wi? -- : a2 wee Moreover, these two conditions imply that the hy- 


brid execution a;41 is a hybrid execution of PP x Ag, as needed. 


From the above induction, it follows that there exists a hybrid execution a of PP x Ag 
such that tpp(a) = a’pp and m4,(@) = aly. However, recall that the execution a'pp 
of PP is derived from the execution tpp(app, 4,) by adding environment actions which 
correspond to inert 7’s and do not appear in the hybrid trace of a’pp. Therefore, the 
execution app of PP starts in a state in S$ and is restricted to states is R and, moreover, 
a'pp.tstate = 7 pp(Oppy 4, -lstate). Finally, since Ay guarantees G in PP from S given R it 
follows that a'pp.lstate € G. Moreover, since a'pp.lstate = Tpp(ppy 4, -lstate), it is the case 
that tpp(@ppy 4, -/state) € G, as needed. a 


We end this section with several compositional theorems for protectors. The first two the- 
orems consider the composition of two or more independent protectors. The third theorem 
considers the composition of two protectors, one of which depends on the other; that is, 
a one-way protector dependency. The fourth and fifth theorems consider the composition 
of two or more protectors that depend on each other; that is, two-way and multiple-way 


protector dependencies. 


Theorem 3.1.3 Suppose that A, and Ag are protector automata for PP, with respective 
port sets Ky and K2, where Kk, 1 Ky = 9. Suppose that A, guarantees Gy from Sy given 
Ry, and Ag guarantees Gg from So given Rg. If the protectors A, and Az are compatible, 
then their composition A, x Ag is a protector that guarantees G11 G2 from S11 So given 
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Ryn Rg. 


Proof: Let a be any finite execution of the HIOA PP x A, x Ag that starts in a state 
in S17 Sy and whose states are restricted to the set Ry 9 Ry. Moreover, let a4, be the 
projection of a to the HIOA PP x Aj, t.e.,a4, = Tppx4,(a). Since the execution a starts 
in a state in S$; Sy and is restricted to the states in Ry M Ro, the same applies to the 
projected execution QA, However, since A, guarantees G'; from S$, given Ry, $1959 C 54, 
and Ry R2 C Ry, it follows that all reachable states of PP in a4, are in G1. Since a4, is 
the projection of a to the automaton PP x Aj, it follows that all reachable states of PP in 


a are in Gj also. 


Taking a similar projection of the execution a to the automaton PP x Ag, the desired result 


follows. |_| 


Theorem 3.1.4 Suppose that A,, A2,...,A, are protector automata for PP, with respec- 
tive port sets Ky, Wo,..., Ky, where K;O Ky =9, for alli,’ € {1,...,k},c4 v. Suppose 
that each of the protectors A;, for alli € {1,...,k}, guarantees G; from S; given R;. If 


the protectors A,,A2,...,A, are compatible, then their composition || sk} Aj is a 


7€ f1,.. 
protector that guarantees (); ¢ {1,...,k} Gi from Nie {1,...,k} Si given Nie {1,...,4} Ri- 


Proof: Let a be any finite execution of the HIOA PP x Lien - 
state in ();¢ {1,..,k} 5¢ and whose states are restricted to the set Nie {1,...,k} 2i- Moreover, 
let a4, be the projection of a to the HIOA PP x Aj, for some i’ € {1,...,k}, ve., 


a4, = T PPX A, (@). Since the execution a starts in a state in (); E f1,...,k} S$; and is restricted 


sk} A; that starts in a 


to the states in [);¢ {1y...5k} R;, the same applies to the projected execution a, . However, 
since Ay guarantees Gy from Sy given Ry, ()j¢ {yesh} 5; C Si, and ()j¢ {yesh} RC Ry, 
it follows that all reachable states of PPin a, are in Gj. Since a, is the projection of 


a to the automaton PP x A; , it follows that all reachable states of PP in @ are in Gj also. 


Taking similar projections of the execution a to each of the automata PP x Aj, for all 
t” €{1,...,k}, the desired result follows. | 


Theorem 3.1.5 Suppose that A, and Ag are protector automata for PP, with respective 
port sets K, and Ky, where Ky Ky =. Suppose that A, guarantees Gy from $1 given Ry 
and Ay guarantees Gy from Sz given Ry G,. If the protectors Ay and Az are compatible, 
then their composition A, x Ag is a protector that guarantees G11 G2 from S11 So given 
Rin Ro. 


Proof: Let a be any finite execution of the HIOA PP x A, x Ag that starts in a state 


in S17 Sy and whose states are restricted to the set Ry 9 Ry. Moreover, let a4, be the 
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projection of a to the HIOA PP x Aj, t.e.,a4, = Tppx4,(a). Since the execution a starts 
in a state in S$; Sy and is restricted to the states in Ry M Ro, the same applies to the 
projected execution ay However, since A, guarantees G'; from S$, given Ry, $1959 C 54, 
and Ry R2 C Ry, it follows that all reachable states of PP in a4, are in G1. Since a4, is 
the projection of a to the automaton PP x Aj, it follows that all reachable states of PP in 


a are in Gj also. 


Now, let a,, be the projection of the execution a to the automaton PP x A). Since the 
execution a starts in a state in S;M Sg and is restricted to the states in Ry M Ro, the 
same applies to the projected execution a,,. From above however, all reachable states in 
a are in G and, therefore, it follows that the execution a, is restricted to the states in 
Ri A Ro Gy. However, since Ag guarantees G2 from $2 given Ro G1, 51,9 S29 C So, and 
RyNR2gNG, C RoAG}, it follows that all reachable states of PP in a4, are in Gg. Finally, 
since a4, is the projection of a to the automaton PP x Ag, it follows that all reachable 


states of PP in a@ are in G2 also. | 


The fourth and fifth composition theorems require a preliminary lemma. 


Lemma 3.1.6 Suppose that A is a protector automaton for PP, with port set Kk. Suppose 
that A guarantees G from S' given RNG". 


Let a be any finite execution of PP x A starting in S and all of whose states are in R. 
Letting (i,t, s) be any state occurrence in a, if s ¢ G then (i,t, s) € past(G’, a). 


Proof: Suppose for the sake of contradiction that s ¢ G and (i,t, s) ¢ past(G’,a). Let a; 
be the prefix of a ending with (7, t,s). Then, all states of ay are in G’. Since A guarantees 
G from S given RNG", it follows that all states of a, are in G. But this contradicts the 
assumption that s ¢ G. a 


Now we can prove the fourth composition theorem — the one involving a two-way protector 


dependency. 


Theorem 3.1.7 Suppose that A, and Ag are protector automata for PP, with respective 
port sets K, and Ky, where Ky Ky = 0. Suppose that the protector A, guarantees G, from 
S, given Ry 1 Gg and the protector Ag guarantees G2 from So given R21 Gy. 


Assume that a is any finite execution of the system PP x A, x Ao, starting from a state in 


S19 S2 and all of whose states are in Ry Ro. 


Then, one of the following holds: 


1. Every state in a is in Gy Go. 


2. The finite execution a can be written as a, ~ az, where 
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(a) all state occurrences in a, except possibly the last are in G1 Go, 
(b) the last state occurrence in ay is in Gy if and only if it is in G2, and 


(c) all state occurrences in a2 except possibly the first are in past(G1, a) past(G, a). 


Proof: Fix a as in the hypothesis. If every state in @ is in G1, M G2 then we are done, so 


assume that some state in a is in Gy UG. Let B, and By denote G; and Go, respectively. 


Let w; be the first trajectory in @ containing an occurrence of a state in By, U Bo, and 
suppose that w; is a T)-trajectory. Let 7; be the subset of 7 consisting of all ¢ such that 
(i,t, wi(t)) € past( By U By,a). Then, T; is a non-empty subinterval of T; that is “upward- 
closed”, i.e.,ift € T;, t' € T,;, and t < t' then t’ € T;. Since T; is an interval of reals, it has 
a left endpoint ¢, which might or might not itself be in T;. Let s = w(t). 


Then, we claim that splitting a exactly at (i,t,s) yields the needed decomposition into ay 


and ay. There are three conditions to check: 


1. All state occurrences in a, except possibly the last are in Gy 1 Go. 
This is true by the definitions of past and T;. 
2. s © G, if and only if s € Go. 


Suppose that s € By. Then, Lemma 3.1.6 implies that (7,t,s) € past(B2,a). How- 
ever, the definition of T} implies that no state occurrence preceding (i,t, s) is in Bo. 
Therefore, it follows that s € Bo. 


Similarly, if s € Bz then s € By. 

3. All state occurrences in ag except possibly the first are in past( By,a)M past( Bz, a). 
Consider any state occurrence (7’,t’, s’) in a2 other than the first. By definition of 
a2 and past, it must be that (2’,t’,s’) € past( By U Bz2,a). Suppose, without loss of 
generality, that (7’, t’, s’) € past( By,a). This means that either (7’,t’, s’) € B,, or there 
is a state occurrence (7”,t”, s”) preceding (2’,t’, s’) in @ such that (2”,t",s"”) € By. 

In the former case, Lemma 3.1.6 implies that (7’,t’,s’) € past( Bz,a). In the latter 


case, Lemma 3.1.6 implies that (¢”,t",s”) € past(B2,a). This in turn implies that 
(2’,t’, s') € past(.By,a). This suffices. 


In the following theorem, we extend the composition theorem of the two-way protector 
dependency case to the multiple-way protector dependency case; that is, the case in which 
the operation of each of the protectors within a prespecified set of protectors relies on the 


operation of all the other protectors in the set. 
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Theorem 3.1.8 Suppose that A,, Ao,...,A, are protector automata for PP, with respec- 
tive port sets Ky, Ko,...,K,, where Kj; Ky = O, for all i,t’ € {1,...,k},0 4 v. Sup- 
pose that each of the protectors A;, for all i © {1,...,k}, guarantees G; from S; given 
Rif) Gn € {1,...,k} Ai Gi) 

Assume that a is any finite execution of the system PP x ies... Aj, starting from a 
state in (\ie41,...,44 Si and all of whose states are in (Vj; 64... 6} Ri 


Then, one of the following holds: 


1. Every state ina is in (lien. py Gi 


2. The finite execution a can be written as a, ~ az, where 


(a) all state occurrences in ay except possibly the last are in (); ¢ {1,...,b} Gir 


(b) if the last state occurrence in a, is in Gj, for some i € {1,...,k}, then there 
exists i’ € {1,...,k},i Fi, such that the last state occurrence in ay is in Gi, 
and 


(c) all state occurrences in a2 except possibly the first are in (); ¢ 7 past(G;,a), for 
some IC {1,...,k}, where |I| > 2. 


Proof: Fix a as in the hypothesis. If every state in a is in ();¢ {yesh} G; then we are done, 
so assume that some state in a is in Uje ng, ny G;. For all i € {1,...,k}, let B; denote 


Gj. 


Let w; be the first trajectory in a containing an occurrence of a state in Uien...h B, 
and suppose that w,; is a T,-trajectory. Let T; be the subset of 7’, consisting of all ¢ such 
that (7,t, w(t) € past(U se 4,43 Bi,a). Then, T; is a non-empty subinterval of 7, that 
is “upward-closed”, i.e., if t € T}, t’ € Ty, and t < t’ then t’ € T;. Since T} is an interval of 
reals, it has a left endpoint ¢, which might or might not itself be in 77. Let s = w,(¢). 


Then, we claim that splitting a exactly at (j,¢,s) yields the needed decomposition into ay 


and ay. There are three conditions to check: 


1. All state occurrences in a, except possibly the last are in ();¢ {1,...k} Gi. 
This is true by the definitions of past and T;. 


2. If the last state occurrence in a, is in G;, for some 7 € {1,...,k}, then there exists 


“ef{i,...,k},v F t, such that the last occurrence in a, is in Gj. 
Suppose that s € B;, for some i € {1,...,4}. Then, Lemma 3.1.6 implies that 


(j,t,s) € past) i 41... kha i Giv,a), ie. (J, t,5) € past) i eH... kali By). 
The definition of 7; implies that no state occurrence preceding (j,t,s) is in the set 


Uien,...nv¢: Bir. Therefore, it follows thats € Uyeg.. xyiei Bir. This suffices. 
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3. All state occurrences in ay except possibly the first are in (),; ¢ 7 past(G;, a), for some 
IC {1,...,&}, where |J| > 2. 


Consider any state occurrence (j’,t’, s’) in a2 other than the first. By definition of ag 
and past, it must be that (j’,t’,s’) € past se 41... 4} B;,a). Suppose, without loss 
of generality, that (j’,t’, s’) € past(B;,a), for some i € {1,...,k}. This means that 
either (j’,t’, s’) € B;, or there is a state occurrence (j”,t”,s”) preceding (j’, t’, s’) in 


a such that (j”,t”, 8”) € Bj. 


In the former case, Lemma 3.1.6 implies that the state occurrence (7’, t’, s’) satisfies the 
condition (j’,’, 8’) € past() i ec, nyiei Gi, @), Which is equivalent to (j’,t’,s’) € 
past 641... ky ii By,a). In the latter case, Lemma 3.1.6 implies that the state 
occurrence (j", 7”, 5”) satisfies the condition (7”,t”, 8”) € past(() j¢ (Ayn sk bili Gi, a), 
which is equivalent to (j”,t",s”) € past(U » ¢ (yesh byilgti By,a). This in turn implies 
that (7/,U, 8") € past(U veg... miei Biro). This suffices. 


3.2 An Abstract Protector 


In this section, we define an abstract protector that is parameterized in terms of: 


e PP, a particular physical plant automaton, 
e RG, and S, sets of states of PP, 
e j,a particular port of PP, and 


e d,a positive real-valued sampling period. 


The PP automaton represents the physical plant being modeled. The set R is the set of 
states to which we restrict the states of the PP automaton while considering a particular 
protector. This set is usually comprised of states satisfying a particular property of the 
physical plant that is required by the protector under consideration. The set G is the set of 
“good” states; that is, the set of states to which the protector is designed to constrain the 
PP automaton. The set S$ is a set of states from which the protector under consideration 
is said to guarantee G given R; that is, given that the states of the PP automaton are 
restricted to the set R, the protector guarantees that every finite execution starting from an 
initial state in S ends in a state in G. The protector communicates with the PP automaton 


through the port 7 and has a positive real-valued sampling period d. 


The protector is composed of a sensor automaton and a discrete controller automaton as 
shown in Figure 3.1. Both the sensor and the discrete controller are described abstractly 


in terms of PP, etc. At intervals of d time units, the sensor automaton samples the output 
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Figure 3.1 Compositional structure of a physical plant and an abstract protector. 
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variables of the PP automaton. The discrete controller automaton is rather nondetermin- 
istic. Based on the output state information of the PP automaton sampled by the sensor, 
the discrete controller issues protective actions so as to guarantee that the PP automaton 


stays within the set G starting from S$ given R. 


A particular instantiation of the abstract parameterized protector Abs( PP, 5S, R,G,j,d) can 
be defined by simply specifying the parameters PP, S, R, G,j, and d. Often, after explicitly 
defining the parameters PP, 5, Rk, G, 7, and d, we refer to the particular abstract protector 
using only its port index, z.e., Abs;. The same applies for the parameterized sensor and 
discrete controller automata Sensor{ PP, S, R,G,j,d)and DC(PP, S, R, G,j, d), respectively. 


In several of the following chapters, we give explicit definitions of protectors for specific 
choices of PP, etc. The abstract protector of this section is used to aid in proving correctness 


of the later protectors. 


3.2.1 Terminology and Assumptions 


In this section, we define several functions and sets, which are useful in the definition and 
in the proof of correctness of the abstract protector, and present the assumptions made 
about the physical plant and the abstract protector automata. It is important to note 
that the assumptions presented in this section must be satisfied by any physical plant and 
abstract protector automata defined and analyzed using the framework developed in this 
thesis. Throughout this section, we also state several lemmas which are used in subsequent 


sections and chapters. 


We begin by stating two simple assumptions about the physical plant automaton. First, 
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we assume that the PP automaton has no input variables on port j, for all 7 € J; that 
is, the protectors control the state of the physical plant only through input actions. A 
consequence of this assumption is that the environment action of the PP automaton is 
stuttering. Second, we assume that the PP automaton has no output actions on port 7, for 
all 7 € J. The physical plant is modeled as a passive system in the sense that the protectors 
observe the state of the plant only through output variables. These two assumptions are 


formally stated by the following two axioms. 


Axiom 3.2.1 The PP automaton has no input variables on any of its ports, i.e., Upp, = 9, 


for allj € J. 


Axiom 3.2.2 The PP automaton has no output actions on any of its ports, i.e., UP, = 9, 


for allj € J. 


Next, we define a function, futureppp;, that yields the set of states of PP that are R- 
reachable from the given subset of R within an amount of time in the given subset of R2°, 


under the constraint that no input actions arrive on port j of the PP automaton. 


future ppp: PUR) x P(R2°) > P(R), defined by: 
p € futurepp.pj(P,T), where P C Rand TC R2°, if and only if p is R-reachable 


from some p’ € P via a finite execution fragment a of PP with no input actions on 


port 7 and with a.ltime € T. 


When either argument of the function futureppp, is a singleton set, we omit the set 
brackets, e.g., for any p € R and t € R2°, we write futurepp pj(p,t) as shorthand for 
future ppp j({p}, {t}). Moreover, it is important to note that the function futurepp p; de- 
pends on the automaton PP, the set R, and the port 7. Henceforth however, when the 
automaton PP, the set R, and the port 7 are clear from context, they are omitted; that is, 


we use the notation future instead of future pp p ;. 
Lemma 3.2.1 For all P,P’ C R, T,T’ C R2°, and t,t’ € R2°, the following are true: 


1. If PCP’ and T CT" then future pp pj(P,T) C future pp pj(P’,T’). 
2. futurepp pj(P,t + t') = futurepp p,;(future pp pj (P, t), t’). 
3. P Cc futurepp p,;(P, 0). 


4. futurepp p j(futurepp pj (P,T),T’) = futurepppj(P,T"), where T" = {r+ 7' | 7 € 
T andr'eT'}. 


Proof: Follow directly from the definition of the function future. | 
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Lemma 3.2.2 Suppose that a is any discrete action of PP other than an input action on 


port j and that p,p' € R such that p—+,, p'. Then, for any T C R2°, futurepp pj (p',T) C 
future pp pj(p,T). 


Proof: Lemma 3.2.1, part 1, and the fact that p’ € future(p,0) imply that future(p’,T) C 
future( future(p, 0), 7). Moreover, Lemma 3.2.1, part 4, implies that future(future(p,0), 7) = 
future(p,T). Therefore, it follows that future(p',T) C future(p,T), as needed. | 


We define a function, no-oppp.p;, which yields, for a given state in R, the set of input 
actions on port j of the PP automaton that do not affect the state of the PP automaton, 


provided they are executed prior to either time-passage, or other input actions on port 7. 


NO-OP pp Rj: R= P( PP, )> defined by: 


T™ € no-oppp.p,j(p) if and only if 7 is an input action on port 7 of PP such that 

for all p',p" € R satisfying p' € futurepp p ;(p,0) and p' +>, p”, it is the case that 
“W / 

P=P.- 


Henceforth, for any state p in R, the input actions in the set no-oppp pj(p) are referred to 


as no-op input actions on port 7 of PP for the state p. 


It is important to note that the above definition of the function no-oppp p; conforms to 
Axiom D3 of the HIOA model of Section 2.2 since, by Axiom 3.2.1, the PP automaton 
has no input variables on any of its ports. Moreover, the function no-oppp p; depends on 
the automaton PP, the set R, and the port 7. Henceforth however, when the automaton 
PP, the set R, and the port 7 are clear from context, they are omitted; that is, we use the 


notation no-op instead of NO-OP pp_R j- 


We proceed by stating another assumption about the physical plant automaton PP. We 
assume that there exist no-op input actions on port 7 for every state of the PP automaton 


in the set R. This assumption is formally stated by the following axiom. 
Axiom 3.2.3 For every p € R, it is the case that no-oppp.pj(p) F 9. 


Axiom 3.2.3 states that no-op input actions on port 7 exist for every state p of PP in R. It is 
important to realize, however, that Axiom 3.2.3 does not claim that for p € R it is possible 
to determine from the valuation y = p[Ypp of the output variables of the PP automaton 
which input actions are no-op input actions on port 7 for the state p. In fact, it is plausible 
that the information provided by the output variables Ypp of the PP automaton is not 
sufficient to determine which of the input actions VBP, are no-op input actions on port 7 


for each state p of the PP automaton in the set R. 


Since the PP automaton is assumed to have no input actions on any of its ports (Ax- 


iom 3.2.1), input actions of the physical plant are often “idempotent”, in the sense that in 
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any execution of the PP automaton if any particular input action 7 on port 7 is performed 
consecutively multiple times with no other intervening input actions on port 7, then all such 
input actions 7 except the first, do not change the state of the PP automaton. For any 
physical plant automaton PP in which all input actions are idempotent and any state p of 
the PP automaton in the set R, the most recently performed input action on port 7 is a 


no-op input action on port 7 for the state p. 


We define a set, very-safepp pq,j;, which is comprised of the states of PP that satisfy R and 
from which all R-reachable states of PP with no input actions on port 7 are in G. The set 
very-safepp pg; may be interpreted as the set consisting of the states from which the PP 
automaton is bound to remain within the set G provided that it remains within the set R 


and the protector on port 7 does not retract or issue additional protective actions. 


very-safepp pg, GR, defined by: 


p € very-safepp pg; if and only if future pp p j(p,R2°) C G. 


It is important to note that the set very-safepp pg, depends on the automaton PP, the 
sets R and G, and the port 7. Henceforth however, when the automaton PP, the sets R 
and G, and the port 7 are clear from context, they are omitted; that is, we use the notation 


very-safe instead of very-safepp p q,j- 


Lemma 3.2.3 


1. very-safepp rg CG. 


2. If p € very-safepp pg; then future pp p ;(p,R*°) C very-safepp pg; 


Proof: Follow directly from the definition of very-safe. | 


We define a set, safepp.r.g,j, which is comprised of the states of PP that satisfy R and from 
which the protector on port 7 has a “winning protective strategy”. Namely, there exists an 
input action on port 7 of the PP automaton whose immediate execution — its execution 
prior to any time-passage with the possibility that its execution follows an arbitrary number 
of discrete actions other than input actions on port 7 — guarantees that all subsequent R- 
reachable states of PP with no input actions on port 7 are in G; that is, the state following 


the execution of the particular input action of PP on port 7 is in the set very-safepp p qj- 


safepp raj CR, defined by: 
p € safepp pg, if and only if both of the following hold: 


1. futurepp p j(p,0) CG. 


2. There exists an input action 7 on port 7, such that for every p’, p” € R satisfying 


p' € futurepp p j(p,0) and p' > ,, p”, it is the case that p” € very-safepp pg j- 
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It is important to note that the set safepp pg; depends on the automaton PP, the sets R 
and G, and the port 7. Henceforth however, when the automaton PP, the sets R and G, 
and the port 7 are clear from context, they are omitted; that is, we use the notation safe 


instead of safepp pg; 


We overload the notation safepp pq; by defining a function, safepp pg, which yields the 
states of PP that satisfy R and for which the immediate execution of the given input action 
on port 7 — its execution prior to any time-passage with the possibility that its execution 
follows an arbitrary number of discrete actions other than input actions on port 7 — guar- 
antees that all subsequent R-reachable states of PP with no input actions on port 7 are in 


G; that is, the state following the execution of the given input action on port 7 is in the set 


very-safepp R.G,j- 


safepp RG; : Bp, — P(R), defined by: 
p € safepp pgj(™) if and only if both of the following hold: 


L. futurepp.p j(p,0) CG. 


2. For every p’,p” € R such that p’ € futurepp pj(p,0) and p' +, p”, it is the 


case that p” € very-safepp pg.j- 


It is important to note that the function safepp pg; depends on the automaton PP, the 
sets R and G, and the port 7. Henceforth however, when the automaton PP, the sets R 
and G, and the port 7 are clear from context, they are omitted; that is, we use the notation 


safe(m) instead of safepp pg j(7), for any input action m of PP on port j. 


Lemma 3.2.4 


1. safepp R.G,j Cc G. 
2. Forany pe R, p € safepp.pg,; if and only if futurepp p j(p,0) © safepp rg j- 


3. very-safepp ry & 8afepp.ra,j: 
Proof: 


1. Let p be any state in safe. From the definition of safe it follows that future(p,0) C G. 
Therefore, Lemma 3.2.1, part 3, implies that p € G. It follows that safe C G. 


2. In the forward direction, let p € safe and p’ € future(p,0). We must show that 
p’ € safe; that is, we must show that (i) future(p’,0) C G, and (ii) there exists an 
input action 7 on port j such that for all p’,p” € R satisfying p’ € future(p’, 0) 


a 


and p” —+,, p’”, it is the case that p’” € very-safe. Lemma 3.2.2 implies that 
future(p’,0) C future(p,0) and, therefore, the conditions to be shown follow from 


the fact that p € safe. 
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For the converse, let p € R and future(p,0) C safe. We must show that p © safe. 
From Lemma 3.2.1, part 3, it is the case that p € future(p,0). Therefore, it follows 
that p € safe. 


3. Letting p € very-safe, we must show that p € safe; that is, we must show that 
(i) future(p,0) C G, and (ii) there exists an input action a on port 7 such that for all 
p',p" € R satisfying p’ € future(p,0) and p’ ++, p”, it is the case that p” € very-safe. 


For the first condition, Lemma 3.2.1, part 1, implies that future(p, 0) C future(p, R2°). 
However, since p € very-safe it is the case that future(p,R2°) C G. Therefore, it 
follows that future(p,0) C G, as needed. 


For the second condition, since no-op(p) # 0 by Axiom 3.2.3, let 7 € no-op(p). 
Moreover, let p’, p” € R such that p’ € future(p,0) and p’ —+,, p”. Since p € very-safe, 
Lemma 3.2.3, part 2, implies that p’ € very-safe. Moreover, since 7 is defined to be a 
no-op input action on port 7 for the state p, it follows that p’ = p’. Therefore, it is 


the case that p” € very-safe, as needed. 


We proceed by stating two more assumptions about the PP automaton. We assume that 
membership of a state of the PP automaton in the set safe is determinable from the output 
variables of the PP automaton, i.e., the set safe is Ypp-determinable (as defined in Sec- 
tion 2.1). Moreover, we assume that for any state in the set safe, an appropriate action to 
guarantee safety can be determined from the output variables of the PP automaton, t.e., the 


variables in Ypp. These two assumptions are formally stated by the following two axioms. 
Axiom 3.2.4 safepp pg; is Ypp-determinable. 


For any valuation y of the output variables Ypp of the PP automaton, we use the notation 
y € safe to denote the existence of a state p € safe such that p[Ypp = y. In fact, by 
Axiom 3.2.4, for any valuation y of the output variables Ypp of the PP automaton, the 
existence of a state p € safe such that p[Ypp = y implies that all states p’ € R such that 
p'|Ypp = y are in the set safe. 


Axiom 3.2.5 There exists a function, decision, from valuations of Ypp to PP, such that 
for any y € Ypp and p€ R satisfying p|Ypp = y, tt is the case that if y € safepp pg, then 


p € safepp pg j(decision(y)). 


We define a function, delay-safepp pg, which yields the set of states of PP that satisfy R 
and for which all states R-reachable within the given amount of time and with no input 
actions on port 7 are in G, and all states R-reachable in exactly the given amount of time 


and with no input actions on port 7 are in safepp p qj. 
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delay-safepp pg; R2° — P(R), defined by: 
p € delay-safepp pgj(t) if and only if both of the following hold: 


1. futurepp pj(p,[0,t]) C G. 


2. future ppp j(p,t) © safepp.rgj- 


It is important to note that the function delay-safepp pq; depends on the automaton PP, 
the sets R and G, and the port 7. Henceforth however, when the automaton PP, the sets R 
and G, and the port 7 are clear from context, they are omitted; that is, we use the notation 


delay-safe(t) instead of delay-safepp pq,;(t), for any t € R2°. 
Lemma 3.2.5 For any t,t! € R2°, such that t < t', the following hold: 


1. very-safepp R.G,j c delay-safepp pg j(t)- 
2. safepp R.G,j = delay-safepp pg,j(0). 


3. delay-safepp pg j(t’) © delay-safepp pg j(t)- 


Proof: Follow directly from the definitions of very-safe, safe, and delay-safe(t), for any 
t € R2°, and the Lemmas 3.2.3 and 3.2.4. | 


We conclude by stating three assumptions made about the abstract protector automaton. 
In particular, we assume that the state information provided by the output variables of the 
PP automaton is sufficient to determine membership of any state of the PP automaton in 
the sets R and G, i.e., the sets R and G are Ypp-determinable (as defined in Section 2.1). 
Moreover, we assume that the set of start states S$ is a subset of the set safe. These 


assumptions are formally stated by the following three axioms. 
Axiom 3.2.6 R is Ypp-determinable. 

Axiom 3.2.7 G is Ypp-determinable. 

Axiom 3.2.8 S C safepp rg j- 


As noted above, all assumptions described by Axioms 3.2.1—3.2.8 must be satisfied by the 
physical plant and abstract protector automata defined and analyzed using the framework 


developed in this thesis. 


3.2.2 Sensor Automata 


The sensor automaton Sensor;, defined in Figure 3.2, behaves as follows: at time 0 and every 


d time units thereafter, it outputs the valuation y of the output variables Ypp of the PP 
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Figure 3.2 Sensor; automaton definition. 


Actions: Input: e, the environment action 
Output:  snapshot(y);, for each valuation y of Ypp, i.e., for all y © Ypp 


Variables: Input: u € type(u), for all u € Ypp, initially w € type(w), for each u € Ypp 
Internal: now; € R2°, initially 0 
next-snap; € R2°, initially 0 


Discrete Transitions: 


€ snapshot(y); 
Eff: Ypp :€ Ypp Pre: next-snap; = now; 
y is current valuation of Ypp 
Eff: Ypp :€ Ypp 


next-snap; := now; + d 


Trajectories: 
for all u € Ypp 
u assumes arbitrary values in type(w) throughout w 
next-snap, is constant throughout w 
for allie 7, 
w(t).now; = w(0).now; +t 
w(t).now; < w(t).next-snap, 


automaton using a snapshot(y); output action. The Sensor; automaton keeps track of the 
appropriate times for scheduling each snapshot(y); action, for y € Ypp, using the internal 
variables now; and next-snap;. The variable now, stores the time that has elapsed from the 
beginning of the particular execution of the Sensor; automaton. The variable nezt-snap,; 
stores the next point in time in which the output variables Ypp of the PP automaton must 


be sampled. 


The discrete actions of the Sensor; automaton are the input action e and the output actions 
snapshot(y);, for all y € Ypp. The environment action e allows for arbitrary changes to the 
input variables Ypp as a consequence of discrete transitions outside the Sensor; automaton 
but does not affect the local variables of the Sensor; automaton. Each snapshot(y); action, 
for y € Ypp, outputs the valuation y of the output variables Ypp of the PP automaton. In 
order to conform to Axiom D3 of the HIOA model of Section 2.2, each input variable u of 
the Sensor; automaton, for u € Ypp, is assigned an arbitrary value in the set type(u). It 
can easily be seen that the Sensor; automaton satisfies the Axioms D1—D3 of the HIOA 


model of Section 2.2. 
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The trajectory specification for the Sensor; automaton gives restrictions on a trajectory 
w with domain T;. Since the Sensor; automaton has no control over its input variables, 
the input variables of the Sensor; automaton are allowed to change arbitrarily throughout 
a trajectory w. It is important to note that the Sensor; automaton does not allow time- 
passage unless the condition now; < nezt-snap, is satisfied. As a result, in order for time 
to proceed when now; = next-snap;, a snapshot(y); output action, for some y € Ypp, 
is eventually scheduled. It can easily be seen that the Sensor; automaton satisfies the 
Axioms T1—T3 of the HIOA model of Section 2.2. 


Finally, since each input variable wu of the Sensor; automaton, for u € Ypp, can initially 
assume an arbitrary value in the set type(u), the Sensor; automaton satisfies Axiom Init 
of the HIOA model of Section 2.2. Since the Sensor; automaton satisfies the Axioms Init, 
D1-D3, and T1—T3 of the HIOA model of Section 2.2, it follows that it is a HIOA. 


3.2.3 Discrete Controller Automata 


The discrete controller automaton DC;, defined in Figure 3.3, uses the valuation of the 
output variables of the PP automaton, which is sampled by the Sensor; automaton, to 
determine which protective action must be scheduled so as to guarantee that (i) the PP 
automaton remains within the set G up to the next sampling point, and (ii) the state of 


the PP automaton at the next sampling point is in the set safe. 


The discrete actions of the DC; automaton are the input action e, the input actions 
snapshot(y);, for all y € Ypp, and the output actions 7, for all 7 € PP, The envi- 
ronment action e allows the scheduling of discrete transitions outside the DC; automaton. 
Since the DC; automaton has no input variables, the environment action e is stuttering; 
that is, the execution of the environment action e does not affect the state of the DC; au- 
tomaton. Each snapshot(y); action, for y © Ypp, determines which output action 7 in the 
set UBp, should be scheduled and stores it in the internal variable send;. In a subsequent 
step, prior to any time-passage but with the possibility of intervening discrete actions, the 
DC; automaton schedules the output action 7 that is stored in the internal variable send;. 
It is important to note that time-passage is not enabled while any of the actions 7 in UBp, is 
enabled. As a result, in order for time to proceed, the action 7 that is stored in the internal 
variable send; is eventually scheduled. It can easily be seen that the Sensor; automaton 
satisfies the Axioms D1—D3 of the HIOA model of Section 2.2. 


The trajectory specification of the DC; automaton is trivial. It simply states that the 
internal variable send;, which comprises the state of the DC; automaton, remains unchanged 
and equal to null throughout any trajectory of the DC; automaton. It can easily be seen 
that the DC; automaton satisfies the Axioms T1—T3 of the HIOA model of Section 2.2. 


Finally, since the DC; automaton has no input variables, Axiom Init of the HIOA model 
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Figure 3.3 DC; automaton definition. 


Actions: Input: e, the environment action (stuttering) 
snapshot(y);, for each valuation y of Ypp, i.e., for all y € Ypp 
Output: 7, for all 7 € PP, i.e., all the input actions on port 7 of PP 
Variables: Internal: send; € UBp, U {null}, initially null 


Discrete Transitions: 


€ 
Eff: None 
snapshot(y); 
Eff: if y E safepp R.G,j then 
send; :€ {gE UBp, | Vp, p',p” € R such that 
p|Ypp =%, p € futurepp pj(p, 0), and p Ps op p", 
it is the case that p” € delay-safepp pg j(d)} 
else 
send; :€ LPP, 
T 
Pre: send; = 7 
Eff: send; := null 
Trajectories: 


w.send; = null 


of Section 2.2 it trivially satisfied. Since the DC; automaton satisfies the Axioms Init, 
D1-D3, and T1—T3 of the HIOA model of Section 2.2, it follows that it is a HIOA. 


The DC; automaton’s decision as to which output action to enable and subsequently sched- 
ule is made nondeterministically. Let y be any valuation of the output variables Ypp of the 
PP automaton, 7.e., y © Ypp. 

On one hand, if y € safe, then an output action ¢ in UBp, is allowed only if for all p, p’, p” € R 
such that p[Ypp = y, p’ € future(p,0), and p’ ?, oe p”, it is the case that p” € delay-safe(d). 
Let ® be the set of all output actions ¢ in UBp, allowed by the DC; automaton in this case. 
In order for an implementation of a particular instantiation of the DC; automaton to exist, 
it is imperative that the set of output actions ® be non-empty and that at least one of 


the actions in ® can be determined from the valuation y of Ypp. In fact, since y € safe, 
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an output action 7 in UBp, that is allowed by the DC; automaton is guaranteed to exist, 
i.e, ® A. Axiom 3.2.4 implies that for all p € R such that p[Ypp = y it is the case 
that p € safe, i.e., for all p € R such that p[Ypp = y, there exists an action 7 in UBp, 
such that for all p’,p” € R satisfying p’ € future(p,0) and p’ —+,, p”, it is the case that 
p” € very-safe. Therefore, from Lemma 3.2.5, part 1, it follows that p” € delay-safe(d), as 
needed. Moreover, by Axiom 3.2.5, an output action 7 in UEP, that is allowed by the DC; 
automaton can be determined from the valuation y of Ypp; that is, there exists a function, 
decision, from valuations of Ypp to Bp,» such that for any y € Ypp and p € R satisfying 
p\|Ypp = y, it is the case that p € safe(decision(y)). 


On the other hand, if y ¢ safe, then any output action 7 of the DC; automaton is allowed by 
default. However, as shown in the following section, this default case never occurs in states 
that are R-reachable by a finite execution of the composed system PP x Sensor; x DC; 


starting in an initial state in the set S. 


The nondeterminism in the description of the DC; automaton allows the freedom to choose 
any response that satisfies the given conditions — however, in any discrete controller au- 
tomaton implementation, a response that least restricts the future states of the physical 
plant automaton PP would be preferred because it would represent a weaker protective 


action. 


Henceforth, let the “abstract protector” automaton Abs; be the composition of the Sensor; 
and DC; automata, t.e., Abs; = Sensor; x DC}. Proposition 2.7.1, implies that the au- 
tomaton Abs; is a HIOA. 


3.2.4 Correctness of the Abstract Protector 


In this section, we prove that the abstract protector Abs; guarantees G' in the physical 
plant PP from S given R. 


Lemma 3.2.6 For any reachable state s of Abs( PP, S,R,G,j,d), if s.next-snap; = s.now;, 


then s.send; = null. 


Proof: Follows directly from the definition of the Sensor; and the DC; automata. | 


The following lemma considers the composition PP x Abs; of the physical plant automa- 
ton PP and the abstract protector automaton Abs;. Let s be any state of the composed 
system and let s.ppstate be the restriction of s onto the state space of the PP automaton, 


i.€., s.ppstate = s[Vpp. 


Lemma 3.2.7 The following are true in any state s of PP x Abs(PP,S,R,G,j,d), that 
is reachable from an initial state in safepp pgj, via an execution that only involves states 


in R. 
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1. If s.send; = null, then s.ppstate € delay-safe pp pg_j(s.next-snap, — s.now;). 


2. If s.send; = @, for some @ € UEP,» then 


(a) future pp pj(s-ppstate,0) C G, and 
(b) For every p',p" © R such that p' € future ppp ;(s.ppstate,0) and p' ?, oe pl, it 
is the case that p" € delay-safe pp pg j(d)- 


Proof: In an initial state of PPx Abs; it is the case that s.send; = null. Therefore, since the 
first clause of the invariant applies, we must show that s.ppstate € delay-safe(s.next-snap,; — 
s.now;). However, in an initial state PPx Abs; it is the case that s.next-snap; = s.now; = 0. 
Therefore, we must show that s.ppstate € delay-safe(0), which by Lemma 3.2.5, part 2, is 
equivalent to s.ppstate € safe. But this is true by our assumption about the start states of 


the executions considered in this lemma. 


We now show that the invariant is preserved by every discrete transition s ++ s’ of PPx Abs;, 
for s,s’ € states(PP x Abs;) such that s.ppstate, s'.ppstate © R and 7 € Mppxats;. We 


consider cases: 


1. 7 = snapshot(y);. 


From the effects of the snapshot(y); action, it follows that s’.send; € Upp: Therefore, 
we must show the second clause of the invariant for the state s’; that is, we must 
show that (a) future(s’.ppstate,0) C G, and (b) for every p’,p” € R such that p’ € 


f 
s'.send, 


future(s' ppstate,0) and p' ———-,, p”, it is the case that p” € delay-safe(d). 


Lemma 3.2.6 and the precondition of the snapshot(y); action imply that s.send; = 
null. Therefore, the invariant for s implies that s.ppstate € delay-safe(s.next-snap,; — 
s.now;). Since the precondition of the snapshot(y); action implies that s.next-snap; = 
s.now;, it follows that s.ppstate € delay-safe(0). Therefore, Lemma 3.2.5, part 2, im- 
plies that s.ppstate € safe. 


For condition (a), since s.ppstate € safe, it is the case that future(s.ppstate,0) C G. 
Since the snapshot(y); action affects only the send; of the DC; automaton and the 
PP automaton has no input variables on any of its ports, it is the case that s’.ppstate = 


s.ppstate. Therefore, it follows that future(s’.ppstate,0) C G, as needed. 


For condition (b), since s.ppstate € safe, the “then clause” of the determination of 
s’.send; is used. Therefore, the discrete step s ++ s’ sets the variable s’.send; to some 
gin Sp. with the property that for every p’, p” € Rsuch that p’ € future(s' ppstate, 0) 
and p' —+,p> p”, it is the case that p” € delay-safe(d), as needed. 

2.7 € Upp, - 
The precondition implies that s.send; = 7 # null. Therefore, the invariant for the 


state s implies that future(s.ppstate,0) C G and that for every p’,p” € R such that 
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p' & future(s.ppstate,0) and p’ —>+,, p”, it is the case that p” € delay-safe(d). As a 
result of the step, it is the case that s’.send; = null and s’.next-snap; — s’.now; = d. 
Moreover, the invariant for the state s implies that s’.ppstate € delay-safe(d). Since 
s'.next-snap; — s’.now; = d and s'.ppstate € delay-safe(d), it follows that s’.ppstate € 


delay-safe( s' next-snap, — s'.now;), as needed. 
. 7 E€ Mpp— UBp, (z is a discrete action of PP other than an input action on port 7). 


For any discrete action 7 of the PP automaton other than an input action on port J, it 


is the case that s.send; = s'.send;, s.now; = s'.now;, and s.nezt-snap; = s'.next-snap,. 


If s.send; = null, then the invariant for s implies that s.ppstate € delay-safe(t), where 
t = s.nezt-snap;—s.now;; that is, future(s.ppstate, [0,t]) C G and future(s.ppstate, t) C 
safe. However, Lemma 3.2.2 implies that future(s’.ppstate,t) C future(s.ppstate, t), 
for all ¢ € R2°. Since s.next-snap; — s.now; = s'.next-snap; — s'.now;, it follows that 
future(s' ppstate, [0,t]) C G and future(s'.ppstate, t) C safe, where t = s’.next-snap, — 
s'.now;. These two conditions imply that s'.ppstate € delay-safe(s'.next-snap; — 


s'.now;). This yields the invariant. 


A similar argument holds if s.send; = @, for some @ € Upp, - In this case, the invariant 
for s implies that future(s.ppstate,0) C G and that for every p’,p” € R such that p’ € 
future(s.ppstate,0) and p’ . p”, it is the case that p” € delay-safe(d). However, 
Lemma, 3.2.2 implies that future(s’.ppstate,0) C future(s.ppstate,0). Therefore, it 
follows that future(s’.ppstate,0) C G and that for every p’,p” € R such that p’ € 
future(s' ppstate,0) and p’ 2, p”, it is the case that p” € delay-safe(d). This yields 


the invariant. 
. 7 =e (a is the environment action). 


Since the input variables of the Sensor; automaton are the output variables of the PP 
automaton, the DC; automaton has no input variables, and the PP automaton has 
no input variables on any of its ports, it follows that the composition PP x Abs; has 
no input variables. Therefore, the action z is the stuttering environment action, 7.e., 


s' = s, and the invariant for the state s implies the invariant for the state s’. 


Finally, we show that the invariant is preserved by any non-trivial closed trajectory w in 


Wpepx.Abs,;- Suppose that the states s and s’, for some s,s’ € states( PP x Abs;) such that 


s.ppstate, s'.ppstate € R, are the first and last states of the trajectory w, respectively. Since 


time-passage is enabled, it is the case that send; = nullthroughout the trajectory w. There- 


fore, the invariant for the state s implies that s.ppstate € delay-safe(s.next-snap, — s.now,;); 


that is, future(s.ppstate, [0, s.next-snap; — s.now;]) C G and future(s.ppstate, s.next-snap; — 


s.now;) C safe. We must show that s’.ppstate € delay-safe(s' next-snap, — s'.now;); that 


is, future(s'.ppstate, [0, s’.next-snap; — s'.now;]) C G and future(s’.ppstate, s'.next-snap; — 


s'.now;) © safe. It suffices to show that future(s'.ppstate, [0, s’.next-snap, — s'.now;]) C 


AT 


future(s.ppstate, [0, s.next-snap; — s.now;]) and future(s'.ppstate, s'.next-snap; — s'.now;) C 


future(s.ppstate, s.next-snap; — 8.now;). 


From the fact that s’.ppstate € future(s.ppstate, w.ltime) and Lemma 3.2.1, part 1, it fol- 
lows that future(s'.ppstate, [0, s’.next-snap;—s'.now,;]) C future( future(s.ppstate, w.ltime), [0, 
s’.neat-snap, — s'.now;]). But Lemma 3.2.1, part 4, implies that future(future(s.ppstate, 
w.ltime), (0, s'.next-snap, — s'.now;]) = future(s.ppstate, [w.ltime, s’.next-snap; — s'.now; + 
w.ltime|). Moreover, from Lemma 3.2.1, part 1, it follows that future(s.ppstate, [w.ltime, 
s’.neat-snap, — s’.now; + w.ltime]) C future(s.ppstate, [0, s'.next-snap; — s'.now; + w.ltime)). 
Finally, since s' next-snap, — s'.now; + w.ltime = s.next-snap; — s.now; it follows that 


future(s' ppstate, [0, s'.next-snap, — s'.now;]) C future(s.ppstate, [0, s.next-snap; — s.now;]), 


as needed. 
Using similar arguments, it can be shown that future(s' ppstate, s’.next-snap,; — s’.now;) C 
future(s.ppstate, s.next-snap,; — 8.now;). | 


Lemma 3.2.8 For any state s of PP x Abs(PP,S,R,G,j,d) that is reachable from an 
initial state in safepp pg, via an execution that only involves states in R, it is the case that 


s.ppstate € G. 

Proof: If s.send; = null then Lemma 3.2.7 implies that the state s.ppstate is in the set 
delay-safe(s.next-snap; —s.now;), which implies that future(s.ppstate,0) C G. On the other 
hand, if s.send; # null, then Lemma 3.2.7 implies that future(s.ppstate,0) C G. Thus, in 


either case it is the case that future(s.ppstate,0) C G. Finally, Lemma 3.2.1, part 3, implies 
that s.ppstate € G. | 


Theorem 3.2.9 Abs(PP,5,R,G,j,d) guarantees G in PP from safepp pg, given R. 


Proof: Let s be any state of the composed system PP x Abs; that is reachable from an 
initial state in safe via an execution that only involves states in R. Then, Lemma 3.2.8 


implies that s.ppstate € G’, as needed. | 


Corollary 3.2.10 Abs( PP, S,R,G,j,d) guarantees G in PP from S' given R. 


Proof: Follows directly from Theorem 3.2.9 and Axiom 3.2.8. | 
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Chapter 4 


Modeling a System of n Vehicles 


gi™™ 


In this chapter, we present a model for a simplified version of the PRT 200 system 
under development at Raytheon Corporation. The physical plant model involves n vehicles 
traveling on a single track. Since this thesis is only concerned with safety, the details of the 
operation of the physical plant and the aspects of the system geared towards performance 


are omitted. 


The model, called VEHICLES, is a HIOA and conforms to the restrictions on the PP au- 
tomaton of Section 3.1 and the assumptions about the PP automaton of Section 3.2. We 
describe in detail the aspects of the physical plant model that were only abstract in Sec- 
tions 3.1 and 3.2. These include: the state variables, the initial states, the discrete actions, 
and the trajectories of the PP automaton. Moreover, we define several auxiliary derived 
variables and sets that are used extensively by the protector automata presented in the 


following chapters. 


The state variables of the VEHICLES automaton include the position, the velocity, and the 
acceleration of each vehicle and several other variables that record whether the vehicles of 
each of the vehicle pairs have collided into each other, whether each vehicle is braking, and 
whether each protector is requesting each vehicle to brake. The set of initial states is the 
set of states of the VEHICLES automaton that satisfy the physical properties of the system. 
The input actions are used by the protectors to instruct the vehicles to apply or release 
their “emergency” brakes, and the internal actions model the possibility that vehicles stop 
suddenly or collide among themselves. The trajectories model the motion of the vehicles 


with time, within their physical constraints. 
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4.1 Physical Plant: VEHICLES 


In this section we describe the automaton VEHICLES, which models a set of n vehicles 
traveling on a single track. For simplicity, all the vehicles are assumed to have identical di- 
mensions and acceleration /deceleration capabilities. The formal definition of the automaton 
VEHICLES and the formal definition of the derived variables and sets used in its definition 


are given in Figure 4.1 and Table 4.1, respectively. Their informal definitions follow. 


The set J is the set of vehicles being modeled in the VEHICLES automaton. Each vehicle is 
identified by an element of this set. As described in Section 3.1, the set J is the set of ports 
that are used by the VEHICLES automaton to interact with the various protectors. In this 
setting, each of the protectors uses a single port to interact with the VEHICLES automaton. 


Therefore, the port index is often used to specify the protector itself. 


The output variables of the VEHICLES automaton are the variables 2;, for i € J, the vari- 
ables @;, fori € I, and the variables collided(i, i’), for 7,7’ € 1, i’ #7. Each of the variables «;, 
for 2 € J, is the position of the vehicle 7. The position of each vehicle 7, for 7 € J, is repre- 
sented by a single point on the real line, t.e., 7; € R, for 2 € J, and specifies the position of 
the rear of the vehicle i on the track. The section of the track occupied by each vehicle 7, 
for 7 € I, often referred to as the extent of the vehicle 2, is defined to be the section of track 
ranging from the position of the rear of the vehicle 7 to the point on the track that is a 
distance of cje, downstream of the rear of the vehicle 7. The distance cj.,, is the minimum 
allowable separation between vehicles; that is, the length of the vehicle plus any desired ex- 
tra margin specified by the system designer. The extent of each vehicle 7, for 2 € J, is given 
by the derived variable F;; that is, B; = [@;,2; + Cen], for 2 € I. Each of the variables «;, 
for 2 € I, is the velocity of the vehicle i. The vehicles are only allowed to move forward on 
the track and, therefore, their velocities are restricted to be non-negative, i.e., ¢; € R2°, for 
all 2 € J. Once a vehicle in the VEHICLES automaton has collided, its velocity is assumed 


to be arbitrary. 


Each output variable collided(i,t’), for a’ € I,’ # i, denotes whether the vehicle 7 has 
ever collided into the vehicle 2’. For shorthand, each of the derived variables collided(i, *), 
for i € I, denotes whether the vehicle 7 has ever collided into any of the other vehicles, 
i.e., collided(t, *) = Vin ¢ rng; collided(t, i’), and each of the derived variables collided(+, 7), 
for « € J, denotes whether any of the other vehicles have ever collided into the vehi- 
cle 2, i.e., collided(*,i) = Vite Litxi collided(i’,i). Moreover, each of the derived vari- 
ables collided(*,7,*), for 7 € I, denotes whether the vehicle i has ever been involved in 
a collision; that is, either whether the vehicle i has ever collided into any other vehi- 
cle, or whether any other vehicle has ever collided into the vehicle ¢. In logical terms, 
collided(*,i,*) = collided(*,i) V collided(i,*). Finally, the derived variable collided de- 


notes whether any of the vehicles have ever collided among themselves, i.e., collided = 
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Figure 4.1 The VEHICLES automaton. 


Actions: 


Input: 
e, the environment action (stuttering) 
brake(2);, for alli E 1,7 € J 
unbrake();, for alli € 1,7 € J 


Internal: 
colliding-pair(i, 2’), for all i,7' € I, #1 
collision-effects(2), for alli Ef 
brick-wall(z), for ali ef 


Discrete Transitions: 


brake(2); 
Eff: brake-req(t, 7) := True 
if sbrake(2) then 
brake(i) := True 
ifz;=0 then 7; :=0 
else 2%; := Chrake 
unbrake(1); 
Eff: brake-req(t, 7) := False 
if brake(t) A(A Vie sz brake-req(i, k)) then 
brake(2) := False 


Ey rE [Cmin, Emac| 


Trajectories: 


Variables 


Internal: 
£; ER, for all 2 € J, initially #; € R 
brake(2) € Bool, for all i € 7, 
initially False 
brake-req(t, 7) € Bool, for alli € 1,9 € J, 
initially False 
Output: 
xz; €R, for all 2 € J, initially +; € R 
£; ER, for all z € J, initially z; ER 
collided(i, t') € Bool, for all 2,7’ € I,1’ 43, 
initially False 
subject to VALID 


colliding-pair(i, 2’) 
Pre: acolléded(i, 1’) 
A(E; NEB A 0) 
A(ai < min( £;N E;:)) 


Eff: collided(i, t') := True 


collision-effects(t) 
Pre: collided{*, i, *) 

Eff: ¢; :€ R2° 
£,:ER 


brick-wall(1) 
Pre: True 
Eff: «; :=0 
if brake(t) then #; := 0 
else 2; :€ [0,Cmaz] 


for all i,2' € 1,147’, collided(i,i’) is constant throughout w 
for alli € [J and 7 € J, brake(i) and brake-req(i, 7) are constant throughout w 


for all i,’ CLi4¢e 


the function w.z#; is integrable 


for all t € T; 
w(t).@; = w(0).0;) + in w(s).d; ds 
w(t).c; = w(0).2) + fo w(s).a; ds 
if sw. collided(i, 1’) 
A(w(t).E£: 9 w(t). By #0) 
A(w(t).c¢ < min(w(t).£; 9 w(t).£,7)) 
then 
t= w.ltime 


subject to VALID 


V; el collided(t, *) = Vig € Lixi! collided(t, ). 


The internal variables of the VEHICLES automaton are the variables %;, for 7 € J, the 
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Table 4.1 Derived variables and sets used in the definition of the VEHICLES automaton. 
E; € P(R), defined by 


Ey = [@i,€) + Cten| 


collided(i, *) € Bool, for i € I, defined by 


collided(i,*) = \/— collided(i, i’) 
velvet 


collided(*, i) € Bool, for i € I, defined by 


collided(*,i) = \/ collided(i', 4) 
velvet 


collided(*, i, *) € Bool, for i € I, defined by 


collided(*, i, *) = collided(*, i) V collided(i, *) 


VALID C states(VEHICLES), defined by 


VALID ={p € states(VEHICLES) | 
1. fi, € Ti 4 # such that the set p.£; ON p.Ejy is a positive length closed 
interval of R. 
2. p.e; > 0, for alli € I. 
3. If ap.collided(*, i, *) then p.@; € [émin, Cmax], for all ¢ € I. 
4. If ap.collided(x, t,*) A p.brake(2) then if p.c; = 0 then p.#; = 0 else p.&; = 
Cbrake, for allie I. } 


variables brake(i), for 7 € I, and the variables brake-req(i,7), for 7 € I and j € J. Each of 
the variables #;, for 7 € I, is the acceleration of the vehicle 2. If no vehicle collisions involving 
a particular vehicle i have occurred, then (i) the acceleration of the vehicle 7 is bounded 
above and below as follows: #; € [émin, Emax], Where Emin, Gmac € R and Emin < 0 < Emax, 
and (ii) if the vehicle 7 is braking, its acceleration is given by @; = Csrake, Where Corake € R 
and €min < €brake < 0. The difference between the minimum acceleration and the braking 
acceleration reflects a conservative estimate of the effect of a vehicle’s braking system. 
Once a vehicle in the VEHICLES automaton has collided, its acceleration is assumed to be 
arbitrary and its braking system is assumed to be malfunctioning. Each of the boolean 
variables brake(2), for 7 € I, denotes whether the vehicle i is braking. Each of the boolean 
variables brake-req(i,7), for 7 € I and j € J, denotes whether the protector 7 is requesting 
the vehicle ¢ to brake. It is assumed that each vehicle applies its “emergency” brake while 


any of the protectors is requesting it, i.e., brake(i) = \/ brake-req(i, 7), for all ¢ € I. 


ged 
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The input actions of the VEHICLES automaton are the environment action e and the actions 
brake(7); and unbrake(7);, for 7 € J and j € J. Since the VEHICLES automaton has no 
input variables, the environment action e is stuttering and its specification is omitted from 
the definition of the VEHICLES automaton. Each of the actions brake(7); and unbrake(?),;, 
for i € If and j € J, correspond to actions performed by the protector 7 instructing the 
vehicle 2 to apply or release its “emergency” brake, respectively. It is important to note that 
the acceleration of the vehicle 7 is not set by the actions brake(?); and unbrake(7); unless 
the variable brake(i) gets toggled by the action being performed. Therefore, the brake(?); 
and unbrake(7); actions do not affect the acceleration of the vehicle i when brake(i) = True 


and abrake(i) \/ (V edit brake-req i, j")) = True, respectively. 


For simplicity, the set of input actions of the VEHICLES automaton includes the actions 
brake(7); and unbrake(7);, for 7 € J and j € J; that is, the VEHICLES automaton allows 
each protector 7, for 7 € J, to brake each vehicle 7, for 2 € J. However, it is often the 
case that a protector 7, for some 7 € J, need not schedule but a subset of the actions 
brake(i); and unbrake(7);, for i € J. In such cases, the protector 7 is specified as having 
only the output actions that it is capable of scheduling and the remaining input actions of 


the VEHICLES automaton on port j are ignored. 


The discrete actions brick-wall(?), for i € /, colliding-pair(?, 2’), for 7,7’ € 1,i 4 7’, and 
collision-effects(i), fori € J, are the internal actions of the VEHICLES automaton. Each 
brick-wall(?) action, for 7 € J, models the instantaneous stopping of the vehicle 7 — as if 
it hit a brick wall. Thereafter however, the vehicle 7 is allowed to reinitiate forward motion. 
The effects of the brick-wall(z) action are to set the velocity of the vehicle 7 to zero and 
the acceleration of the vehicle 2 to an arbitrary non-negative value within the prespecified 
acceleration bounds. It is important to note that if the vehicle ¢ was braking prior to the 
execution of the brick-wall(7) action, the brick-wall(i) action sets the acceleration of 
the vehicle i to zero. Each colliding-pair(?, 2’) action, for 7,2’ € I,i 4 i’, records the fact 
that the vehicle ¢ has collided into the vehicle 7’. The colliding-pair(?, 7’) action sets the 
boolean variable collided(i, i’) to True. A collision between two vehicles is assumed to take 
place when the vehicles have overlapping extents. However, since the trailing vehicle is the 
only vehicle that can prevent the collision through braking, the collision is recorded only by 
the trailing vehicle as if the trailing vehicle were the only vehicle liable for the particular 
collision. Following a collision, the velocity and the acceleration of the vehicles involved 
in the collision are unconstrained and each vehicle’s braking system is assumed to be mal- 
functioning. Each collision-effects(7) action, for i € J, models the adverse effects of a 
collision involving the vehicle i and may be executed, even repeatedly, at any instant of time 
following the first collision involving the vehicle 7. The collision-effects(i) action sets 
the velocity and the acceleration of the vehicle 7 to arbitrary values. The system is modeled 
such that a collision allows but does not dictate immediate effects on the velocity and the 


acceleration of the vehicles involved in the collision; that is, collision-effects(i) and 
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collision-effects(i’) actions do not necessarily follow a colliding-pair(?, 7%’) action. 


All discrete actions of the VEHICLES automaton, except the collision-effects actions, 
model the behavior of the vehicle as if no collisions had ever occurred. Once a vehicle has 
been involved in a collision, it is unknown whether the vehicle has incurred any damage 
and, therefore, its operation is uncertain. If the vehicle has not been damaged then its 
operation is modeled as if the vehicle had not collided. On the other hand, if the vehicle 
has been damaged, the malfunctioning vehicle apparatus is modeled by succeeding each of 


the discrete actions with a collision-effects action for the malfunctioning vehicle. 


The definition of the VEHICLES automaton restricts the initial states and the trajectory 
states to the set VALID. The formal definition of the set VALID is given below and is 


included for reference in Table 4.1. 


VALID C states(VEHICLES), defined as the set of states of the VEHICLES automaton that 


satisfy the following conditions: 


1. Ai, € Ti @#, such that the set LE; Ey is a positive length closed interval 
of R. 


. &; > 0, for all a € If. 


3. If acollided(+,i,*) then #; € [€min, Emax], for all ¢ € I. 
. If scollided(*,t,*) A brake(i) then if 4; = 0 then #; = 0 else &; = €hyane, for all 
wed, 


The restriction of the states of the VEHICLES automaton to the set VALID enforces some of 
the physical properties of the system. The first two conditions restrict the vehicle extents to 
be non-overlapping and the vehicle velocities to be non-negative. The vehicles are, however, 
allowed to “touch”, i.e., their extents are allowed to intersect at a single point. The final 
two properties only apply for vehicles that have not been involved in a collision. The 
third condition specifies the range of allowable vehicle acceleration and the fourth condition 
specifies the correct acceleration for a vehicle that is braking. Recall that once a vehicle has 
collided, its velocity and acceleration are assumed to be arbitrary and its braking system is 


assumed to be malfunctioning. 


The trajectories of the VEHICLES automaton only affect the position, the velocity, and the 
acceleration of the vehicles of the VEHICLES automaton — the remaining variables of the 
VEHICLES automaton remain constant throughout the trajectories. The position and the 
velocity are assumed to be the integrals of the velocity and the acceleration, respectively. 
The acceleration is assumed to be changing arbitrarily throughout a trajectory with the 
restriction that all states of the trajectory remain within the set VALJD. Finally, if a 
vehicle 7 collides into a vehicle 7’ for the first time, the trajectory is stopped so that the 


collision can be recorded by a colliding-pair(?, 7’) action. 


The VEHICLES automaton complies with the assumptions made about the PP automaton 
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in Section 3.2.1. The VEHICLES automaton has neither input variables, nor output actions, 
on any of its ports (Axioms 3.2.1 and 3.2.2, respectively). Moreover, the actions brake(?); 
and unbrake(7);, for each vehicle i € I satisfying the conditions brake-req(1, 7) = True and 
brake-req(i,j) = False, respectively, are no-op input actions on port 7 for any RC VALID. 
Therefore, the set of no-op input actions on each port 7 € J and any R C VALID is 
non-empty (Axiom 3.2.3). 


4.2 Sets of Guarantee and Reliance for the VEHICLES 


Automaton 


The protectors presented in the following chapters are designed to guarantee that the VEHI- 
CLES automaton remains within sets of states that are considered “good”. In other words, 
the protectors are designed to keep the VEHICLES automaton from reaching states that are 
considered “bad” or hazardous. Bad or hazardous states involve vehicles that are either 
above the speed limit, or that have collided with each other. Sets of states that are con- 
sidered “good” are informally referred to as sets of guarantee. Moreover, it is often the 
case that protectors rely on the restriction of the states of the VEHICLES automaton to sets 
comprised of states that exhibit particular properties of the VEHICLES automaton. Such 


sets of states are informally referred to as sets of reliance. 


is the subset of VALID comprised 


of the states in which the vehicle 7 is above the speed limit. Let the maximum allowable 


In the case of exceeding the speed limit, the set P, 


overspeed(t) 


velocity be given by émaz- 


Proverspeea(iy) © VALID, for 7 € I, defined by 


Poverspeed(s) = {p € VALID | p.%; > Emax}. 


Then the set Poverspeed = Use 1 Poverspeed(i) 18 the subset of VALID comprised of the states 
in which at least one of the vehicles is above the speed limit, and the set Prot-overspeed = 
VALID — Poverspeed 1S the subset of VALID comprised of the states in which none of the 


vehicles are above the speed limit. 


In the case of vehicle collisions, the set Protiidea(i,it) 18 the subset of VALID comprised of the 


states in which the vehicle ¢ has collided into the vehicle 2’. 


Preottided(i,i') C VALID, for t, a E f, a x v, defined by 


Preottided(i,i') = {p € VALID | p.collided(i, a’) = True}. 


Then the set Prottided(i) = Ui e rit Prottided(i,i?) 18 the subset of VALID comprised of the 
states in which the vehicle 2 has collided into at least one of the other vehicles. Moreover, the 
set Prothided = Use 1 Peottided(i) = U;9 eLitit Peoltided(i,i") 18 the subset of VALID comprised 


of the states in which at least two distinct vehicles have collided into each other. Finally, 
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Table 4.2 Sets of guarantee and reliance for the VEHICLES automaton. 


Poverspeed(i) Cc VALID, for 2 € I, defined by 


Poverspeed(i) = {p € VALID | p.&; > Cmax } 


Poverspeed C VALID, defined by 


Poverspeed = UJ Poverspeed(i) 
tel 
Prot-overspeed © VALID, defined by 


Prot-overspeed = VALID— Poverspeed 


Preottided(i,i) C VALID, for i, ve T,a # , defined by 


Prottidedi,i’) = {p € VALID | p.collided(i, i’) = True} 


Preottiaeai) C VALID, defined by 


Prottidedi) = UJ Preottided(i,i") 
He Lil fi 


Prottidea © VALID, defined by 
Peottided = U Poollidedi) = U Preottided(i,i') 
ier ive Lagi! 
Prot-cottidea © VALID, defined by 


Prot-coltidea = VALID — Prottiaed 


the set Prot-colided = VALID — Peotiaea is the subset of VALID comprised of the states in 


which none of the vehicles have collided among themselves. 


The sets of guarantee and reliance defined in this section comply with the assumptions 
made in Section 3.2.1; that is, the sets of guarantee and reliance defined in this section are 
Yveurcrps-determinable (Axioms 3.2.6 and 3.2.7). 


For reference, the formal definitions of the sets of guarantee and reliance defined above 
appear in Table 4.2. These sets are extensively used in the definitions of the overspeed and 


collision protectors presented in the following chapters. 
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Table 4.3 Auxiliary derived variables for the VEHICLES automaton. 


stop-dist; € R2°, for alli € I, defined by 


2 
vi 


stop-dist, = Wa 
Tare 


maz-range;(t) € R2°, for alli € I andt € R2°, defined by 
bj At + témarAt? + emac(t — At), 
where At = min («. a 


ej, At T $e brabeAt? + Cmawr (t _ At), 


. tg otherwise. 
where At = min (f, <mac— St 


if t; < Cmax, and 


maz-range;(t) = 


maz-vel;(t) € R2°, for alli € I and t € R2°, defined by 


min(émae; Li + téman) if Lj < Cmar 5 and 


max-vel;(t) = 


max(¢mar,¥i +tCorake) otherwise. 


O; CR, for all 7 € J, defined by 


O; = [a;, ©; + stop-dist, + Cten] 


C(t) CR, for alli € J and t € R2°, defined by 


C(t) = [zi, a; + maz-range,(t) — maz-vel;(t) /(2€brake) + Clen | 


4.3. Auxiliary Derived Variables and Auxiliary Sets for the 
VEHICLES Automaton 


This section presents several auxiliary derived variables and sets for the VEHICLES automa- 


ton. These variables and sets are used extensively in the following chapters. 


For any state p in VALID, the auxiliary derived variables for any vehicle 7 € J and time 
t € R2° are defined in Table 4.3. If the vehicle i is abiding by the global speed limit émaz, 


then the derived variables of Table 4.3 can be interpreted as follows: 


stop-dist;, for 7 € I, is the distance required to stop the vehicle 2, assuming a braking 


deceleration equal to €p,aze. 


mazx-range,;(t), fori € I and t € R2°, is the maximum distance the vehicle i can travel in t 


time units, assuming a maximum acceleration equal to énaz- 
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maz-vel;(t), for? € I and t € R2°, is the maximum velocity achievable by the vehicle i in t 


time units, assuming a maximum acceleration equal to énaz- 


O;, for i € I, is the section of the track that the vehicle 7 “owns”; that is, the range 
extending from the current position of the vehicle ¢ to the point on the track that the 


vehicle can reach even if it is braked immediately. 


C,(t), for i€ I and t € R2°, is the section of the track that the vehicle i “claims” within t 
time units; that is, the range extending from the current position of the vehicle z to 
the point on the track that the vehicle 7 can reach if it is braked after ¢ time units 


and assuming worst-case vehicle behavior up to the point in time when it is braked. 


We now define sets of states of the VEHICLES automaton that are used extensively in the 
following example protector chapters. While their formal definitions appear in Table 4.4, 
their informal interpretations are presented below. It is important to note that the in- 
terpretations of the sets disjoint-owned-tracks(i,%’) and disjoint-claimed-tracks(1, 2, t), for 
i,7’ € T,i # wi, and t € R2°, are valid provided that all the vehicles of the VEHICLES 


automaton are abiding by the global speed limit Caz. 


disjoint-extents(i, 2’), for 7,2’ € [,7 #7, is the subset of VALID comprised of the states in 
which the extents of the vehicles 7 and 7’ are disjoint. We use Pg to denote the set of 


states in which the extents of all the vehicles are disjoint. 


disjoint-owned-tracks(t, i’), for i,t’ € I,i # 2, is the subset of VALID comprised of the 
states in which the sections of the track owned by the vehicles 7 and 7’ are disjoint. 
We use Po to denote the set of states in which all vehicles own disjoint sections of the 
track. Ifa state of the VEHICLES automaton is not in Po, then it cannot be guaranteed 
that the vehicles will not collide in the future; that is, irrespective of any protection 


action taken, it is possible for some vehicles to collide. 


disjoint-claimed-tracks(i, i,t), for 7,7’ € I,i # w, and t € R2°, is the subset of VALID 
comprised of the states in which the sections of the track claimed within ¢ time units 
by the vehicles i and ¢’ are disjoint. We use Pot) to denote the set of states in which 
the sections of the track claimed within ¢ time units by all the vehicles are disjoint. If 
a state of the VEHICLES automaton is not in Pez) and no protective action is taken 
for ¢ time units, then it cannot be guaranteed that the vehicles will subsequently not 
collide; that is, irrespective of any protection action taken after t time units, it is 


possible for some of the vehicles to collide. 


Furthermore, let Pg,, be the subset of VALID comprised of the states in which the protector 
communicating with the VEHICLES automaton through the port 7 is requesting the vehicle i 
to brake, i.e., Pp,, = {p € VALID| p.brake-req(i, 7) = True}. 


58 


Table 4.4 Auxiliary sets for the VEHICLES automaton. 


disjoint-extents(i, i’) C VALID, for i,’ € 1,447, defined by 


disjoint-extents(i,i’) = {p € VALID | p.E; 0 p.Ey = OF 


Pp C VALID, defined by 
Pr= () disjoint-extents(i, i’) 
ii € Titi! 
disjoint-owned-tracks(i, i’) C VALID, for i,’ € T,i #7’, defined by 


disjoint-owned-tracks(i, i’) = {p € VALID | p.O; NV p.O; = OF 


Po C VALID, defined by 


Po = () disjoint-owned-tracks(i, i’) 
ii © Lagi! 


disjoint-claimed-tracks(i, i',t) C VALID, for i,’ € 1,i #7, andt € R2°, defined by 


disjoint-claimed-tracks(i, i,t) = {p € VALID | p.C;(t) N p.Cy(t) = OF 


Pet) G VALID, for t € R2°, defined by 


Poa) = () disjoint-claimed-tracks(i, i’, t) 
ii! © Tags! 


Pe,,; © VALID, defined by 


Pp,, = {p € VALID | p.brake-req(i, 7) = True} 


4.4 Useful Lemmas for the VEHICLES Automaton 


In this section we prove several useful lemmas that describe particular properties of the 


VEHICLES automaton and its derived variables. 


Lemma 4.4.1 For all p € VALID, i € I, and t € R2°, the following hold: 


1. p.stop-dist; > 0. 
2. p.max-range,(t) > 0. 


3. p.max-vel;(t) > 0. 
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4. If p.%; = 0 then p.stop-dist; = 0. 
5. p.maz-range;(0) = 0. 


6. p.maz-vel;(0) = p.a;. 


Proof: Follow directly from the definitions of the auxiliary derived variables stop-dist,, 


maxz-range,;(T), and maz-vel;(r), for rT € R2°. 


Lemma 4.4.2 For all p € VALID, i € I, and t,t! € R2°, t < t', the following hold: 


1. pb; © p.O; © p.Ci(t). 

2, pj = min(p.E;) = min(p.O;) = min(p.C(t)). 
3. p.O; = p.C,(0). 

f. p.C(t)  p.Clt’. 


Proof: Follow directly from the definitions of the derived variables £;, O;, and C;(7), for 
TE R2°, a 


Lemma 4.4.3 If p,p' © VALID, where p' follows from p in a single discrete action, then 
the following hold: 


1. p'.O; C p.O; if and only if pa; < p.aj. 


2. p'.C,(t) C p.C;(t), for any t € R2°, if and only if p!.a; < p.a;. 
Proof: We prove each of the above statements separately. 


1. Recall that O; = [2;, 2; + stop-dist; + cice,]. Since none of the actions of the VEHICLES 
automaton affect the position of a vehicle, it follows that p’.2; = p.x;. Therefore, the 
intervals p.O; and p’.O; have the same left endpoint, i.e., min(p.O;) = min(p’.O;). 
Moreover, since the variable stop-dist,; is positively correlated with the velocity of the 
vehicle i, it follows that p’.stop-dist; < p.stop-dist, if and only if p’.a; < p.@;; that is, 
max(p’.O;) < max(p.O;) if and only if p’.a@; < p.a;. 

Since min(p.O;) = min(p’.O;) and max(p’.O;) < max(p.O;) if and only if p’.@; < p.a;, 
it follows that p’.O; C p.O; if and only if p’.2; < p.a;. 

2. Recall that Ci(t) = [ai, a; + maz-range;(t) — max-vel;(t)? /(2ésrake) + Clen |; for any 
t € R2°. As shown above, it is the case that p'.2; = p.a; and, therefore, the intervals 
p.Ci(t) and p’.C;(t) have the same left endpoint, i.e., min(p.C;(t)) = min(p’.C;(t)). 
Now, consider the right endpoints of p.C;(¢) and p’.C;(t). The variables maz-range; 
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and maz-vel; are positively correlated with the velocity of the vehicle 7 and, therefore, 
it follows that max(p’.Ci(t)) < max(p.C;(t)) if and only if p’.a; < p.a;. 
Since min(p.C;(t)) = min(p’.C{(t)) and max(p’.C,(t)) < max(p.C{(t)) if and only if 
plat; < p.%;, for any t € R2°, it follows that p’.C;(t) C p.C;(t), for any t € R2°, if and 
only if pl.at; < p.a;. 

a 


Lemma 4.4.4 If p,p’ © VALID, where p’ follows from p in a single trajectory, then the 
following hold: 


1. Ifp © Pp,, then p’.O; C p.O;. 


2. Ift € R2° and At € [0,1] is the limit time of the trajectory leading from p to p', then 
pl .Ci(t — At) Cc p.Ci(t). 


Proof: We prove each of the above statements separately. 


1. Let p € Pg,, and consider the left and right endpoints of the intervals p.O; and p! Oj. 


The left endpoints of p.O; and p’.O; are p.v; and p’.x;, respectively. Therefore, due to 
the non-negative constraint on the vehicle velocities, it is the case that p.2; < p’.v;; 
that is, min(p.O;) < min(p’.O;). 


Since p € Pp,, and because the brake-req(t, j) variable remains constant throughout 
any trajectory of the VEHICLES automaton, the vehicle 7 keeps braking throughout 
the trajectory from p to p’. From the definition of the variable stop-dist, it follows 
that p.x;+p.stop-dist, = p’.x;+p'.stop-dist; and, therefore, the right endpoints of p.O; 
and p’.O; are equal; that is, max(p’.O;) = max(p.O;). 


Since min(p.O;) < min(p’.O;) and max(p’.O;) = max(p.O;), we can easily conclude 
from the definition of O; that p’.O; C p.O;. 


2. Let ¢ € R2° and At € [0,¢] be the limit time of the trajectory leading from p to p! 
and consider the left and right endpoints of the intervals p.C;(t) and p’.C{(t — At). 


The left endpoints of p.C;(t) and p’.C;(t — At) are p.a; and p’.a;, respectively. There- 
fore, due to the non-negative constraint on the vehicle velocities, it is the case that 
p.t; < p'.a;; that is, min(p.C;(t)) < min(p’.C;(t — At)). 

Since the variables maz-range; and maz-vel; represent the worst case behavior of the 
system it is the case that p’.a; < p.x; + p.max-range;(At) and p’.«; < p.maz-vel;(At). 
Since the variables maz-range,; and max-vel; are positively correlated with the velocity 
of the vehicle ¢ and p’.4; < p.maz-vel;(At), it follows that p'.a; + p’.maz-range;(t — 
At) < p.a; + p.maz-range;(t) and p’.maz-vel;(t — At) < p.maz-vel;(t). Therefore, the 
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right endpoint of p.C;(t) is at least as downstream as the right endpoint of p’.C;(t—At); 
that is, max(p’.C;(t — At)) < max(p.C;(t)). 


Since min(p.Ci(t)) < min(p’.Ci(t — At)) and max(p’.Cj(t — At)) < max(p.C;(t)), we 
can easily conclude from the definition of C;(r), for r € R2°, that p’.C;(t — At) C 
p.Ci(t). 

a 


Lemma 4.4.5 For all t,t’ € R2°, t < t', the following hold: 


Proof: Follow from Lemma 4.4.2 and the definitions of Pp, Po, and Po ,), for 7 € R2°. i 
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Chapter 5 


Example 1: 


Overspeed Protection System 


In this chapter, we present a protector that prevents the vehicles of the VEHICLES automaton 
from exceeding a prespecified speed limit. In an actual system, speed limits may vary from 
one region of the track to another; in this thesis, we assume a single global speed limit Ca. 
We define a protector, called oS-PROT, that enforces the speed limit on all vehicles, provided 
that they do not collide among themselves. This protector is defined as the composition 
of n separate copies of another protector called OS-PROT-SOLO;, one copy for each vehicle 
t€ J. Each of the oS-PROT-SOLO; protectors, for 7 € J, is an implementation of a particular 
instantiation of the abstract protector automaton of Section 3.2 and guarantees that the 


vehicle 7 does not exceed the speed limit. 


5.1 Protection System 0S-PROT-SOLO; 


The OS-PROT-SOLO; automata, for i € J, are vehicle-wise overspeed protectors, each of 
which individually guarantees that the vehicle i, for which it is responsible, does not exceed 
the speed limit C4, provided that no collisions among the vehicles occur. Each of the 
OS-PROT-SOLO; protectors, for i € J, is an implementation of the abstract protector of 
Section 3.2 specialized to particular definitions of the parameters PP, S, Rk, G, Jj, and d. 


The physical plant automaton, PP, is defined to be the VEHICLES automaton of Figure 4.1. 
The port 7 and the sampling period d are defined to be the port and sampling period with 
which the protector OS-PROT-SOLO; communicates with the VEHICLES automaton. They 
are assumed arbitrary and are fixed for the rest of the chapter. The set R is defined to be 
the set Prot-collideg defined in Section 4.2. This definition restricts the reachable states of the 
VEHICLES automaton to states in which no collisions among the vehicles have occurred. The 


set of “good” states G' is defined to be the set of states in which the vehicle 2 is at or below 
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the speed limit, t.e., G = VALID — Porerspeea(i)- The set of states S' is defined to be the set 
safepp pg; defined in Section 3.2.1; that is, the set of states of the PP automaton for which 
a single input action of PP on port 7 can guarantee that, provided no new input actions 
on port 7 are allowed, all subsequently R-reachable states will be in G. In Section 3.2.1, 
the definition of safe depended on the automaton PP, the sets R and G, and the port 7 
which, at the time, were arbitrary. Here, they are defined to be the automaton VEHICLES, 
the sets Prot-collided aNd VALID — Porerspeea(i), and the port 7, respectively; that is, we have 
specialized the definition of safe for these particular definitions of the automaton PP, the 
sets R and G, and the port 7. In this chapter, we will use the notation R;, G;, and S$; to 
refer to the above definitions of the sets R, G, and S. 


The OS-PROT-SOLO; protector automaton is an implementation of the abstract protector 
automaton Abs( VEHICLES, $;, Ri, Gi, j,d). As is the case for the abstract protector automa- 
ton Abs;, we define the OS-PROT-SOLO; automaton to be the composition of a sensor and a 
discrete controller automaton. These automata are implementations of their abstract equiv- 
alents of Figures 3.2 and 3.3, specialized however, to the above definitions of the parameters 
PP, S, R, G, 7, and d. The sensor automaton is precisely the specialization of the sensor 
automaton of Figure 3.2 to the above definitions of the parameters PP, etc. The discrete 


controller automaton is defined in Figure 5.1. 


It is important to note that the abstract protector automaton Abs( VEHICLES, $;, Rj, Gi, 7, d) 
complies with the assumptions made about the abstract protector in Section 3.2.1. In partic- 
ular, since the vehicle velocity variables are output variables of the VEHICLES automaton, the 
set safe is Yyaurcims-determinable and actions that guarantee safety can be determined from 
the output variables Yymuicrns of the VEHICLES automaton (Axioms 3.2.4 and 3.2.5, respec- 
tively). Moreover, the sets R; and G; are Yypurcims-determinable (Axioms 3.2.6 and 3.2.7, 
respectively) and the set of start states $; is a subset of the set safe (Axiom 3.2.8), since 5; 
is defined to be the set safe. 


In Section 3.1 it was shown that the abstract protector Abs; guarantees that the physical 
plant PP remains within G starting from S' given R. Similarly, the OS-PROT-SOLO; automa- 
ton guarantees that VEHICLES remains within G; starting from 5; given R;. This is shown 


in the following section. 


5.2 Correctness of O0S-PROT-SOLO; 


The main result to be shown is that OS-PROT-SOLO; < Abs( VEHICLES, 5;, R;, Gi, j,d). How- 
ever, since both OS-PROT-SOLO; and Abs(VEHICLES, $;, Rj, Gi, 7, d) involve the composition 
of the same sensor automaton with distinct discrete controller automata, Theorem 2.7.4 ap- 
plies. Therefore, it suffices to show that the discrete controller automaton of OS-PROT-SOLO; 
of Figure 5.1 implements the discrete controller automaton DC(VEHICLES, 5;, Ri, Gi, j, d) of 
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Figure 5.1 Discrete controller automaton for the protector OS-PROT-SOLO;,. 


Actions: Input: e, the environment action (stuttering) 
snapshot(y);, for each valuation y of Yvpuicres 
Output: brake(?); 
unbrake(?); 
Variables: Internal: send; € {brake, unbrake, null}, initially null 


Discrete Transitions: 


snapshot(y); 
Eff: if (y.@; < émaz — d€max) then 
send; := unbrake 
else 


send; := brake 


brake(7); unbrake(?); 
Pre: send; = brake Pre: send; = unbrake 
Eff: send; := null Eff: send; := null 
Trajectories: 


w.send; = null 


Figure 3.3. According to Theorem 2.6.1, this follows by showing that there exists a simula- 
tion relation between the states of the discrete controller automaton of OS-PROT-SOLO; and 
DC(VEHICLES, S;, Rj, Gi, j,d). We first give some useful set definitions, then prove some 


lemmas, and finally show the existence of such a simulation relation. 


In this section, we use the notation future;, safe;, very-safe;, and delay-safe; to denote the 
specialization of the function future, the sets safe and very-safe, and the function delay-safe, 
which are defined in Section 3.2.1, to the automaton VEHICLES, the sets R; and G;, and 
the port 7 of the OS-PROT-SOLO; protector. Moreover, since the environment action of 
the VEHICLES automaton is stuttering, its consideration is omitted in all inductive proofs 


involving the PP automaton. 


We proceed by defining several sets that are used in the correctness proof of the protector 


OS-PROT-SOLO;. For reference, their formal definitions appear in Table 5.1. 


Let W; be the set of states of the VEHICLES automaton in which none of the vehicles have 
collided and the vehicle 2 is at or below the speed limit; that is, W; = R; NM G;. Let 
V; be the set of states of the VEHICLES automaton in which none of the vehicles have 


collided, the vehicle 2 is at or below the speed limit, and the protector 7 is requesting the 
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Table 5.1 Sets used in the correctness proof of OS-PROT-SOLO;. 


W; C VALID, for i € I, defined by 


W; = RNG; 


Ss 
q 


C VALID, for 7 € I, defined by 


Vi= Ri NGEO Pa,, 


a 
M 


C VALID, for 7 € I, defined by 


T; = {p € RR al Gy | p.a; < Cmawr _ demas } 


vehicle 7 to brake; that is, V; = Rg N G;N Ps,,- Furthermore, let 7; be the set of states 
of the VEHICLES automaton in which none of the vehicles have collided, the vehicle 7 is 
at or below the speed limit, and the condition #; < Gmay — d€may is satisfied; that is, 
T; = {p € Ri NG; | pti < Emax — démac}- 


In the following lemma, we show that if we restrict the states of the VEHICLES automaton 
to the set R; and consider a state in which the vehicle ¢ is at or below the speed limit and is 
being requested to brake by the protector 7, then, provided that no new protective actions 


are issued by the protector 7, the vehicle i remains at or below the speed limit thereafter. 
Lemma 5.2.1 future;(V;,R2°) C Gj. 


Proof: Let a be an execution fragment of the VEHICLES automaton of n steps and trajec- 
tories, where n € N, that: starts in a state in V;, is only comprised of states in R;, and 
involves no input actions on port 7. Letting piri and pfingi be the initial and final states of 
a, respectively, we must show that pPfingi € Gj. The proof is by induction on the length n of 


the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, pgnal = Pinit- 


Since Pini € Vi and V; C Gj, it follows that pgna € Gi. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, then pgnai € G;. Let a’ be the part of the execution fragment a comprised 
of the first & steps and trajectories. The induction hypothesis involves the assertion that if 
Prinal is the final state of a’, then it is the case that Prnal € G;. Since the final state of a is 
reached from the final state of a’ by a single step or trajectory, the inductive step involves 


the consideration of all possible steps and trajectories leading from Prinal tO Pfinal- 
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In the case of a step, we consider all possible discrete actions by cases: 


1. the actions brake(?); and unbrake(?); are not enabled because a involves no input 


actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle i to zero. Therefore, it 
trivially follows that Pfinai € Gi. 


3. the actions colliding-pair(i’,7”), for i’, 2” € I,’ 4 i”, and collision-effects(i”’), 


for i” 


€ I, are not enabled because a is only comprised of states in R,;; recall that 
Ri = Prot-collided: 

4. the actions brake(7’),;,, unbrake(2’),, for 7’ € 1,7’ € J,j’ A J, and brick-wall(7”), 
for v” € Ii” # i, do not affect the velocity of the vehicle 2; that is, pfinal-%i = Pinar Xi 
From the induction hypothesis we have that Prnal € G; and, therefore, it follows that 


Pfinal © Gi. 


In the case of a trajectory, since the execution fragment a starts in a state in V; C Pp,, and 
the only action that can set the brake-req(i, 7) variable to False is not enabled throughout 
a, all states in a are in Pg,,; that is, the vehicle 7 keeps braking throughout the execution 
fragment a. Therefore, since the vehicle 2 in state Prinal is in Gj, t.e., at or below the speed 
limit, and the vehicle 2 is braking throughout the trajectory from Prinal tO Pfinal, it trivially 
follows that the velocity of the vehicle 2 in pgnq will be at or below the speed limit; that is, 


Pfinal © Gi. a 


In the following two lemmas, we use Lemma 5.2.1 to show that V; C very-safe; and V; C 


delay-safe;(t), for any t € R2°, respectively. 
Lemma 5.2.2 V; C very-safe;. 


Proof: From the definition of very-safe in Section 3.2.1, we must show that the condition 
future;(V;,R2°) C G; is satisfied. This follows directly from Lemma 5.2.1. | 


Lemma 5.2.3 For any t € R2°, it is the case that V; C delay-safe;(t). 


Proof: Follows directly from Lemma 5.2.2 and Lemma 3.2.5, part 1. | 


In the following two lemmas and the subsequent corollary, we show that the sets W; and 
safe; are equal. First, we show that W; C safe; and safe; C W;. Then the fact that 
W; = safe; follows trivially. 


Lemma 5.2.4 W; C safe,. 
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Proof: From the definition of safe in Section 3.2.1, we must show that any state p € W; 
satisfies: (i) future;(p,0) C Gj, and (ii) there exists some action 7 such that for every 


p',p” © R; satisfying p’ € future;(p,0) and p’ + p”, it is the case that p” € very-safe;. 


For the first condition, let a@ be an execution fragment of the VEHICLES automaton of n 
steps, where n € N, that: starts in a state in W;, is only comprised of states in R;, involves 
no input actions on port j, and has a limit time equal to zero. Letting ping and Pfnai be 


the initial and final states of a, respectively, we must show that Pfingi € Gi. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pfnal = Pinit. Since Pinit € Wi, 


it follows that Pynal € Gi. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, then pfinai € G;. Let a’ be the part of the execution fragment a comprised 
of the first & steps. The induction hypothesis involves the assertion that if Primal is the final 
state of a’, then it is the case that Prinal € G;. Since the final state of a is reached from the 
final state of a’ by a single step, the inductive step involves the consideration of all possible 


steps leading from p%,.) tO Pfinal- 


To complete the induction, we consider all possible discrete actions by cases: 


1. the actions brake(?); and unbrake(?); are not enabled because a involves no input 


actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle i to zero. Therefore, it 
trivially follows that Pfinai € Gi. 


3. the actions colliding-pair(?’, i”), for i’, i” € I,7’ £2", and collision-effects(?”), 


for i” 


€ I, are not enabled because a is only comprised of states in R,;; recall that 
Ri = Prot-collided: 

4. the actions brake(7’),;,, unbrake(2’),,, for 7’ € 1,7’ € J,j’ A j, and brick-wall(7”), 
fort” € I,2” # i, do not affect the velocity of the vehicle 2; that is, Pfinal-?i = Pinar Ti+ 
However, from the induction hypothesis, it is the case that Prnal € G;. Therefore, it 


trivially follows that Pfinai € Gi. 


For the second condition, consider the action 7 = brake(i);. The effect of this action is 
to set the internal variable brake-req(i,j) to True. Therefore, it is the case that p” € Pg,,. 
From the proof of the first condition, it is the case that p’ € G;, and since the brake(?); 
action does not affect the velocity of the vehicle 7, it is also the case that p” € G;. From the 
above conditions and the fact that p” € R;, it follows that p’ € V;. Finally, Lemma 5.2.2 
implies that p” € very-safe;, as needed. | 


Lemma 5.2.5 safe; C W;. 
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Proof: From Lemma 3.2.4, part 1, and the definition of safe in Section 3.2.1, it is the case 
that safe; C G; and safe; C R;, respectively. It trivially follows that safe; C W;. | 


Corollary 5.2.6 W; = safe;. 


Proof: Follows directly from Lemmas 5.2.4 and 5.2.5. | 


In the next three lemmas, we show that any state p in the set 7; is in the set delay-safe,;(d); 
that is, any state R;-reachable from p within an amount of time d through an execution 
fragment that involves no input actions on port 7, is in the set G; and any state R;-reachable 
from the state p in exactly an amount of time d through an execution fragment that involves 


no input actions on port 7, is in the set safe;. 
Lemma 5.2.7 future,(7;, [0,d]) C Gj. 


Proof: Let a be an execution fragment of the VEHICLES automaton of n steps and trajec- 
tories, where n € N, that: starts in a state in 7;, is only comprised of states in R;, involves 
no input actions on port j, and has a limit time ¢ that lies in the interval [0,d]. Letting pinit 


and Pfinal be the initial and final states of a, respectively, we must show that Pfingi € Gi. 


We use induction on the length n of the execution fragment a and the assertion Pfingl-@i < 


Pinit-t; + témar to show that Dynal € Gi. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfnal = Pinit 
and Pfinal-ti = Pinit-t;. Moreover, since t = 0, it is the case that téma, = 0. It trivially 


follows that Pfinal-@i < Pinit-®i + temar- 


The inductive step involves showing that if a is an execution fragment of length n = &+1, for 
some k € N, then pfinal-4i < Pinit-ti + témaz. Let a’ be the part of the execution fragment 
a comprised of the first & steps and trajectories. The induction hypothesis involves the 
assertion that if pi,,;, and P'rinal are the initial and final states of a’, respectively, and 
t’ € [0,¢] is the limit time of a’, then it is the case that Pinal Xi < pipet; + UEmar. Since 
the final state of a is reached from the final state of a’ by a single step or trajectory, the 


inductive step involves the consideration of all possible steps and trajectories leading from 
Prnal to Pfinal- 
In the case of a step, keeping in mind that the limit times of a’ and a are equal, i.e., t’ = t, 


we consider all possible discrete actions by cases: 


1. the actions brake(?); and unbrake(?); are not enabled because a involves no input 


actions on port 7. 
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2. the brick-wall(7) action sets the velocity of the vehicle i to zero and since all ve- 
hicle velocities are restricted to be non-negative, it follows that pfingl.t; < Pinal @i+ 
Moreover, from the induction hypothesis, we have Pinal i < Dipti t+ Uemar- Since 
Pinit = Pini ad t = t’, it follows that pfnal-&; < Pinit-€i + tlmax- 


3. the actions colliding-pair(?’, i”), for i’, i” € I,7’ £2", and collision-effects(?”), 


for i” 


€ I, are not enabled because a is only comprised of states in R,;; recall that 
Ri = Prot-collided: 

4. the actions brake(7’),;,, unbrake(2’),,, for 7’ € 1,7’ € J,j’ A j, and brick-wall(7”), 
for 2” € 1,0" # 1, do not affect the velocity of the vehicle 7; that is, Pfinal-ti = Pana ti- 
Moreover, from the induction hypothesis we have Pinal i < Prietit Uemar. Since 


Pinit = Prac and t = t’, it follows that pgngl-t; < Dinit-i + témac- 


In the case of a trajectory, since the change in velocity is equal to the integral of the 
acceleration and the acceleration is bounded from above by the quantity Ema,, it is the case 
that pfnalti < Pinal i + (t—t/)émac. Moreover, from the induction hypothesis we have 
Plinat i < Denipe ki ttEmac. Since Pinit = Dini, it follows that Pfingi-&; < Pinit-€i +t€max. This 


result completes the induction. 


Since ping € Vj, it is the case that pini.ti < Cmax — démar. Moreover, from the above 


induction we have Pfnal-@; < Pinit-ti + temax. Therefore, pfnal-ti < mar — (d — t)émar, and 


since d—t > Oand Emax > 0, it follows that pfna-®i < Cmax that is, Pinal € Gi, as needed. |_| 


Lemma 5.2.8 future;(7;,0) C T;. 


Proof: From Lemma 5.2.4 and the definition of 7; it is the case that 7; C safe;. Therefore, 
from Lemma 3.2.4, part 2, it follows that future;(T;,0) C safe;. Moreover, Lemma 5.2.5 


implies that future;(7;,0) C W;. It remains to be shown that for all p,p’ € R; such that 
péT; and p’ € future;(p, 0), it is the case that p!.t; < émaz — d€max- 


Because of the non-negative constraint on the vehicle velocities, the only discrete action 
that could potentially increase the velocity of the vehicle 7 is the collision-effects(?) 
action. However, the collision-effects(i) action is not enabled because the function 
future;(p,0) only considers R;-reachable states. If follows that p’.¢; < p.¢;. Moreover, since 
pe T;, it is the case that p.2; < Emax —d€mar. It trivially follows that p’.t; < émaz —de€maz; 
as needed. a 


Lemma 5.2.9 7; C delay-safe;(d). 


Proof: We must show that future,(7;, [0,d]) C G; and future;(T;,d) C safe;. The first condi- 


tion follows directly from Lemma 5.2.7. For the second condition, from Lemma 3.2.1, part 1, 
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we have that future;(7;,d) C future;(7;, [0, d]). Therefore, from Lemma 5.2.7 it follows that 
future;(T;,d) C G;. Moreover, since future;(T;,d) restricts the reachable states to the set 
R;, it is the case that future;(T;,d) C R;. Therefore, it is the case that future;(T;,d) C W; 
and from Lemma 5.2.4 it follows that future;(7;,d) C safe;, as needed. | 


In the following lemma, we show that the OS-PROT-SOLO; protector implements the protec- 
tor Abs(VEHICLES, 5;, R;,G;,7,d). Since the protector automata OS-PROT-SOLO; and Abs; 
involve the composition of the same sensor automaton with distinct controller automata, 
it suffices to show that the discrete controller automaton of the protector OS-PROT-SOLO; 
implements the discrete controller automaton DC(VEHICLES, 5;, Rj, Gi, j, d). 


Lemma 5.2.10 OS-PROT-SOLO; < Abs( VEHICLES, 5;, Ri, Gi, Jj, d). 


Proof: As noted above, both the os-PROT-sOLO; and the Abs; protectors involve the com- 
position of the same sensor automaton with distinct controller automata. From Theo- 
rem 2.7.4, it suffices to show that the discrete controller automaton of OS-PROT-SOLO; 
implements DC';. This is shown by a simulation from the discrete controller automaton of 


OS-PROT-SOLO; to DC;. 


The mapping between the states of the discrete controller automaton of OS-PROT-SOLO; 
and DC; is almost the identity. In the discrete controller automaton of OS-PROT-SOLO;, 
the variable send; is equal to either one of the labels brake and unbrake, or the value null. 
In the abstract discrete controller automaton, these valuations simply map to either the 


actions brake(?); and unbrake(?);, or the value null, respectively. 


The start states for the discrete controller automaton of OS-PROT-SOLO; and DC’; are the 
states in which send; = null. These are mapped to each other according to the mapping 


discussed above. 


Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the VEHICLES automaton that corresponds 
to y, ue, p€ VALID and pl Yvenicuns = Y- 


1. The snapshot(y); action of the implementation sets send; to brake, or unbrake. In 
order to show that the behavior of the implementation is allowed by the specification, 
we must show that the input action snapshot(y); of the implementation sets the 
value of the send; variable in such a way that the subsequently enabled action 7 of 
the implementation (i) guarantees that for all p’,p” € R; such that p’ € future;(p,0) 
and p’ + p", it is the case that p” € delay-safe,;(d), if p € safe;, and (ii) is an arbitrary 


output action of the implementation, otherwise. 


First, consider the case in which p € safe;. Since Corollary 5.2.6 implies that p € W;, 
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the discrete controller automaton of OS-PROT-SOLO; sets the variable send; according 


to whether the state p is in 7;, or not. 


On one hand, if p ¢ 7; then the discrete controller automaton of OS-PROT-SOLO; 
sets the variable send; to brake and the brake(?); action is enabled. However, since 
p € safe;, Lemma 3.2.4, part 2, implies that p’ € safe; and from Corollary 5.2.6 it 
follows that p’ € W;. Moreover, since the brake(i); action sets the brake-req(t, j) 
variable to True and affects neither the velocity of any of the vehicles, nor any of the 
collided variables, it is the case that p” €¢ R; 1G; Pp,,, te, p” € Vj. Finally, from 
Lemma 5.2.3, it follows that p” € delay-safe;(d), as needed. 


On the other hand, if p € 7; then the discrete controller automaton of OS-PROT-SOLO; 
sets the variable send; to unbrake and the unbrake(i); action is enabled. From 
Lemma 5.2.8, it follows that p’ € T;. Moreover, since the unbrake(7); action sets the 
brake-req(i, 7) variable to False and affects neither the velocity of the vehicle i, nor 
any of the collided variables, it is the case that p” € T;. Finally, from Lemma 5.2.9, it 
follows that p” € delay-safe;(d), as needed. 


Next, consider the case in which p ¢ safe;. In this case, the snapshot(y); action of 
the discrete controller automaton of OS-PROT-SOLO; sets the variable send; to either 
brake or unbrake and, subsequently, enables either the action brake(7); or the action 
unbrake(7);. However, when p ¢ safe;, the DC; automaton sets the variable send; 
arbitrarily and, subsequently, enables an arbitrary output action. Therefore, the 
behavior of the discrete controller automaton of OS-PROT-SOLO; is allowed by that of 
the DC; automaton. 

Therefore, the effects of the snapshot(y); action of the implementation are allowed 
by its specification. 

2. The brake(?); and unbrake(7); actions have identical effects in both discrete controller 
automata. When the send; variable matches the labels brake and unbrake, or the 
actions brake(?); and unbrake(7);, the respective action is performed and the send; 
variable is set to the value null in both discrete controller automata. 

3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
OS-PROT-SOLO; and the DC; automaton prior to and succeeding the execution of the 


environment action remains the same. 


Corollary 5.2.11 The protector OS-PROT-SOLO; guarantees G; in the VEHICLES automa- 


ton starting from S; given R;. 


Proof: Follows directly from Lemma 5.2.10 and Theorem 3.2.9. | 
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Table 5.2 Formal definitions of OS-PROT, Gos-pror, Sos-prot, and Rogs-pror- 


OS-PROT = II OS-PROT-SOLO; 
tel 


Gos-pror = () Gi; 
rer 


Sos-pRoT = () 5; 
wer 


Ros-prot = Prot-collided 


5.3 Protection System O0S-PROT 


We now define the overspeed protector oS-PROT. As in the vehicle-wise case, we restrict 
the states of the VEHICLES automaton to the set Pyotcotded aS defined in Section 4.2, i.e., 
Ros-pror = Prot-collided. Let Gos-pror and Sos-pror be the intersection of the sets G; and i, 
for alli € J, respectively, and OS-PROT be the composition of the protectors OS-PROT-SOLO,, 
for all 2 € J. The protector OS-PROT guarantees that the VEHICLES automaton remains 
within Gos-pror starting from Sos-pror given Ros.pror. For reference, The formal definition 
of the OS-PROT automaton and of the sets Gos-pror, Sospror, and Ros-pror are shown in 


Table 5.2. 


Corollary 5.3.1 The protector OS-PROT guarantees Gospror in the VEHICLES automaton 


starting from Sos-pror given Ros-prot: 


Proof: Follows directly from Corollary 5.2.11 and Theorem 3.1.4. | 
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Chapter 6 


Example 2: 
Collision Avoidance on a Single 
Track 


This chapter is similar to Chapter 5; instead of an overspeed protector, here we present 
a collision protector for the VEHICLES automaton. We define the protector CL-PROT that 
guarantees that none of the vehicles collide, provided that they are all abiding by the 
speed limit. The CL-PROT protector is defined as the composition of n separate copies 
of another protector called CL-PROT-SOLO;, one copy for each vehicle i € J. Each of the 
CL-PROT-SOLO; protectors, for i € J, is an implementation of a particular instantiation of 
the abstract protector automaton of Section 3.2 and guarantees that the vehicle i does not 


collide into any of the vehicles it trails. 


6.1 Protection System CL-PROT-SOLO; 


The CL-PROT-SOLO; automata are vehicle-wise collision protectors and individually guar- 
antee that the vehicle 7 does not collide into any of the vehicles it trails, provided that all 
vehicles are abiding by the speed limit and that all other vehicles i’ € I, i’ 4 7, do not collide 
into any of the vehicles they respectively trail. Each of the CL-PROT-SOLO,; protectors, for 
it €J,is an implementation of the abstract protector of Section 3.2 specialized to particular 
definitions of the parameters PP, S, R, G, 7, and d. 


The physical plant automaton, PP, is defined to be the VEHICLES automaton of Figure 4.1. 
The port 7 and the sampling period d are defined to be the port and sampling period with 
which the protector CL-PROT-SOLO; communicates with the VEHICLES automaton and are 
assumed arbitrary. The set of “good” states G is defined to be the set of states in which the 
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vehicle ¢ has not collided into any of the other vehicles, t.e., G@ = VALID— Protideaci). In this 
chapter, we use the notation G; to refer to this definition of the set G. The set R is defined 
to be the set R = Prot-overspeed (n ie Lili Gy), This definition restricts the states of the 
VEHICLES automaton to states in which all of the vehicles are abiding by the speed limit 
and in which each of the remaining vehicles has never collided into any other vehicle. The 
set of states S is defined to be the set safe defined in Section 3.2.1; that is, the set of states 
of the PP automaton for which a single input action of PP on port 7 can guarantee that, 
provided no new input actions on port 7 are allowed, all subsequently R-reachable states 
will be in G. Once again, the definition of the set safe is specialized to the above definitions 
of the automaton PP, the sets R and G, and the port 7. In this chapter, we use the notation 
R; and S; to refer to the above definitions of the sets R and S. 


The CL-PROT-SOLO; protector automaton is an implementation of the abstract protector 
automaton Abs(VEHICLES, 5;, R;,G;,7,d). More precisely, as is the case for the abstract 
protector Abs;, we define the CL-PROT-SOLO; automaton to be the composition of a sensor 
and a discrete controller automaton. These automata are implementations of their abstract 
equivalents of Figures 3.2 and 3.3, specialized however, to the above definitions of the 
parameters PP, S, R, G, 7, and d. The sensor automaton is precisely the specialization of 
the sensor automaton of Figure 3.2 to the above definitions of the parameters PP, etc. The 


discrete controller automaton is defined in Figure 6.1. 


The braking strategy of the CL-PROT-SOLO; protector is as follows. The protector instructs 
the vehicle i to brake if it has a d time unit claim overlap with any of the vehicles it 
trails; that is, the protector instructs the vehicle 7 to brake if there exists a vehicle 7’, for 
ef, #7, such that the sections of the track claimed by the vehicles i and 7’ in time d 
overlap and x; < vy. The rationale behind this braking strategy is that a collision between 
two vehicles in the VEHICLES automaton can only be prevented by instructing the trailing 


vehicle to brake. 


It is important to note that the abstract protector automaton Abs( VEHICLES, $;, Rj, Gi, 7, d) 
complies with the assumptions made about the abstract protector in Section 3.2.1. In partic- 
ular, since the vehicle position variables, the vehicle velocity variables, and the collided vari- 
ables are output variables of the VEHICLES automaton, the set safe is ¥Yypyrcpps-determinable 
and actions that guarantee safety can be determined from the output variables Yyourcies of 
the VEHICLES automaton (Axioms 3.2.4 and 3.2.5, respectively). Moreover, the sets R; and 
G; are Yypurcims-determinable (Axioms 3.2.6 and 3.2.7, respectively) and the set of start 
states $; is a subset of the set safe (Axiom 3.2.8), since 5; is defined to be the set safe. 


In Section 3.1 it was shown that the abstract protector Abs; guarantees that the physical 
plant PP remains within G starting from S' given R. Similarly, the CL-PROT-SOLO; automa- 
ton guarantees that the VEHICLES automaton remains within G; starting from 5; given R,. 


This is shown in the following section. 
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Figure 6.1 Discrete controller automaton for the protector CL-PROT-SOLO;,. 


Actions: Input: e, the environment action (stuttering) 
snapshot(y);, for each valuation y of Yvpuicres 
Output: brake(?); 
unbrake(?); 
Variables: Internal: send; € {brake, unbrake, null}, initially null 


Discrete Transitions: 


snapshot(y); 
Eff: if de’ ¢ 1,7 #72 such that 
y ¢ disjoint-claimed-tracks(i, t',d) A (y.vi < ya) 
then 


send; := brake 
else 


send; := unbrake 


brake(7); unbrake(?); 
Pre: send; = brake Pre: send; = unbrake 
Eff: send; := null Eff: send; := null 
Trajectories: 


w.send; = null 


6.2 Correctness of CL-PROT-SOLO; 


The main result to be shown is that CL-PROT-SOLO; < Abs( VEHICLES, 5;, R;, Gi, j,d). Since 
both CL-PROT-SOLO; and Abs(VEHICLES, S;, R;, G;, 7, d) involve the composition of the same 
sensor automaton with distinct discrete controller automata, Theorem 2.7.4 applies. There- 
fore, it suffices to show that the discrete controller automaton of CL-PROT-SOLO; of Fig- 
ure 6.1 implements the discrete controller automaton DC(VEHICLES, Sj, Rj, G;, 7, d) of Fig- 
ure 3.3. According to Theorem 2.6.1, this follows by showing that there exists a simulation 
relation between the states of the discrete controller automaton of CL-PROT-SOLO; and the 
discrete controller automaton DC(VEHICLES, 5;, R;,G;,j,d). We first give some useful set 
definitions, then prove some lemmas, and finally show the existence of such a simulation 


relation. The correctness proof follows the steps of the correctness proof of Section 5.2. 


In this section, we use the notation future;, safe;, very-safe;, and delay-safe; to denote the 
specialization of the function future, the sets safe and very-safe, and the function delay-safe, 


which are defined in Section 3.2.1, to the automaton VEHICLES, the sets R; and G;, and 
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Table 6.1 Sets used in the correctness proof of CL-PROT-SOLO;. 


W; C VALID, for i € I, defined by 


W; = {p€ Ri NG; | Ai ECL Ai: pOpNp.Ov £0 A pty < p.cy} 


V; C VALID, for 7 € I, defined by 


Vi = Wi Pa,, 


T;(t) C VALID, fori € I, and t € R2°, defined by 


T(t) = {p ER; NG; | Fi ve f, a xi : p.C(t) N p.Cy (8) # OA p.ay< p.ty} 


the port 7 of the CL-PROT-SOLO; protector. Moreover, since the environment action of 
the VEHICLES automaton is stuttering, its consideration is omitted in all inductive proofs 


involving the PP automaton. 


We proceed by defining several sets that are used in the correctness proof of the protector 


CL-PROT-SOLO;. For reference, their formal definitions appear in Table 6.1. 


Let W; be the subset of R; 7 G; comprised of the states in which the section of the track 
owned by the vehicle 2 does not overlap the section of track owned by any of the vehicles 
it trails; that is, for every state pin W;, p € R;M G; and there does not exist 7’ € I,’ Fi 
such that p.O;N p.Oy 49 and p.x; < p.ajr. 


Let V; be the subset of W; comprised of the states in which the protector 7 is requesting 
the vehicle 7 to brake; that is, V; = Wi N Ps;,- 


Let 7;(t), where t € R2°, be the subset of R; M G; comprised of the states in which the 
section of the track claimed in time ¢ by the vehicle 7 does not overlap the section of the 
track claimed in time t by any of the vehicles it trails; that is, for every state p in 7;(¢), 
p € R; 1G; and there does not exist 2’ € I,i’ # i such that p.Ci(t) N p.Cy(t) 4 O and 
pti < pay. 


Lemma 6.2.1 For all t,t’ € R2°, t < t’, the following hold: 


L. Tit) CW; CG. 
2. Vi CW; C Gj. 

3. Tt!) C TA): 

4. T(0) = Wi. 
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Proof: Follow directly from the definitions of the sets G;, W;, and T;(r), where rT € R2°, 
and Lemma 4.4.2. a 


In the following three lemmas, we show that any state R;-reachable from a state in V; 
through an execution fragment that involves no input actions on port j, is in V;. In the 
first lemma, we show that if the final state of such an execution fragment is in G; and the 
section of track owned by the vehicle 7 has not grown since the beginning of the execution 
fragment, then the final state of the execution fragment is in V;. In the second lemma, we 
show that the final state of any such execution fragment is in G; and the section of track 
owned by the vehicle 7 does not grow throughout the execution fragment. Finally, the third 


lemma combines these two results and states formally the desired property. 
Lemma 6.2.2 Let p € V; and p’ € future;(p,R2°). If p' € G; and p'.O; C p.O; then p' € V;. 


Proof: We need to show that p’ € R;NG;N Ps,, and that there does not exist i’ € [,i’ #7 
such that p’.O;N p'.Oy #0 and p’.2; < p'.x. We consider these conditions by cases: 


1. p'e€ Rj. 

This is the case because the function future;(p, R2°) only considers R;-reachable states. 
2. p' © Gj. 

This is true by assumption. 
3. p © Pp,,. 


Since p € Pg,,, it is the case that p.brake-req(i, 7) = True. Moreover, the brake-req(1, 7) 


ay? 
variable can only be set to False by an unbrake(?); action — an action not allowed 


by the function future;(p,R2°). Therefore, it follows that p’ € Pp,,, as needed. 


ag? 


4. fi eT, Ai, such that p.O;N pO» ZO and p'.a; < pvp. 

Because p € V; we have that for all 7’ € J,i’ # i such that p.az; < p.ay it is the 
case that p.O;N p.O» = @; that is, for all 7’ € J,i’ A i such that p.a; < p.vy it 
is the case that max(p.O;) < min(p.O;). However, by assumption it is the case 
that p’.O; C p.O;. Therefore, since the vehicle velocities are restricted to be non- 
negative, it follows that for all 7’ ¢ [,i’ #7 such that p’.a; < p’.a; it is the case that 
max(p’.O;) < min(p’.O;). This is sufficient to guarantee that there does not exist 
“ef, Ait such that p'.O;N p'.Ov £0 and p’.a; < p!.xy. 


Lemma 6.2.3 For all p € V;, if p’ € future;(p, R2°), then p' € G; and p'.O; C p.O;. 
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Proof: Let a be an execution fragment of the VEHICLES automaton of n steps and trajec- 
tories, where n € N, that: starts in a state in V;, is only comprised of states in R;, and 
involves no input actions on port 7. Letting pini¢ and Pfng be the initial and final states 
of a, respectively, we must show that pfna € G; and Pfinal-Oi C pinit-Oj. The proof is by 


induction on the length n of the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, pgnal = Pinit- 
From Lemma 6.2.1, part 2, and the fact that piri: € Vi, it follows that pfng € G;. Moreover, 
the fact that pgnat-Oi C pinit-O; is trivially true. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, then pfingi € Gj and Pfingl-O; C Pinit-O;. Let a’ be the part of the execution 
fragment a comprised of the first & steps and trajectories. The induction hypothesis involves 
the assertion that if p/,,,, and P'rinal are the initial and final states of a’, respectively, then 
it is the case that py.) € Gi and pf, Oi © Pinit-Oi. Moreover, from Lemma 6.2.2 it follows 
that Prinal € V;. Since the final state of a is reached from the final state of a’ by a single 
step or trajectory, the inductive step involves the consideration of all possible steps and 


trajectories leading from Prnal tO Pfinal- 


In the case of a step, we consider all possible discrete actions by cases: 


1. the actions brake(?); and unbrake(?); are not enabled because a involves no input 


actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle 2 to zero and does not affect 
the variables collided(i, i’), for 7’ € I, i’ i. 


From the induction hypothesis, it is the case that Prinal € G;. Therefore, since the 
internal action brick-wall(i) does not affect the variables collided(i, i’), for i’ € I,i' # 


2, it follows that pfinai € Gi. 


Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that Pfnal-ti < Pinal ¥i- From Lemma 4.4.3, part 1, it follows that pyinqO; C Plinat Oi 
However, from the induction hypothesis it is the case that Pana Oi C pi ipOi. There- 
fore, since Pinit = Pinjt it follows that pfnal-O; C Pinit-Oj, as needed. 


3. the actions brake(i’),;,, unbrake(i’),, for i’ € 1,7’ € J,j’ # j, and brick-wall(?”), 
for i” € I,i” # 2, affect neither the velocity of the vehicle i, nor the variables 


collided(i, i”), for i” € T,i” Fi. 

From the induction hypothesis, it is the case that Prnal € G;. Therefore, since the 
actions brake(2’);, unbrake(7’);, for i’ € Ij’ € J,j’ # j, and brick-wall(i”), for 
i” € 1," F i, do not affect the variables collided(i, i”), for i” € 1,i” F i, it follows 
that pinal € Gi. 
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Moreover, since the input actions brake(i’);, unbrake(?’),,, for i’ € I,j’ € J,j' #9, 
and the internal actions brick-wall1(7”), for i” € I, i” 4 i, do not affect the velocity of 
the vehicle 2, it is the case that pynq.t; = Pinal ¥i- From Lemma 4.4.3, part 1, it follows 
that Pfinal-Oi C Plinal-Oi- However, from the induction hypothesis it is the case that 
Phat Oi C pl-O;. Therefore, since pinjt = pi,j,, it follows that pfina-O; C Pinit-Oi, as 
needed. 


4. the actions colliding-pair(?’,7”), for 2’,2” € [,2’ # t”, and collision-effects(i”’), 


“ 


for 7” € I, are not enabled because a is only comprised of states in R; and Prinal € Vj. 


In the case of a trajectory, since p’ € V; and V; C Pp,,, Lemma 4.4.4, part 1, implies that 
PfinalOi CS PlinalOi- However, from the induction hypothesis it is the case that Pina Oi Cc 
p'..Oi- Therefore, since pint = Diniz, it follows that pfnaO; C pinit-O;. Moreover, since 
Prnal € G; and the variables collided(i, i’), for all ¢’ € I, i’ # i, remain constant throughout 
the trajectory, it follows that pgna € Gi, as needed. | 


Lemma 6.2.4 future;(V;,IR2°) C V;. 


Proof: Follows directly from Lemmas 6.2.2 and 6.2.3. | 


In the following two lemmas, we use Lemma 6.2.4 to show that V; C very-safe; and V; C 


delay-safe;(t), for any t € R2°, respectively. 
Lemma 6.2.5 V; C very-safe;. 


Proof: From the definition of very-safe in Section 3.2.1, we must show that the condition 
future;(V;,R2°) C G; is satisfied. This follows directly from Lemma 6.2.4 and Lemma 6.2.1, 
part 2. | 


Lemma 6.2.6 For any t € R2°, it is the case that V; C delay-safe,(t). 


Proof: Follows directly from Lemma 6.2.5 and Lemma 3.2.5, part 1. | 


In the next three lemmas and the subsequent corollary, we show that the sets W; and safe; 
are equal. First, we show that any state that is R;-reachable from a state p in W; through 
an execution fragment that involves no input actions on port j and has a limit time equal 
to zero, is in the set W;. Then, we show that W; C safe; and safe; C W;. Finally, the 


subsequent corollary states that W; = safe;. 
Lemma 6.2.7 future;(W;,0) C W;. 
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Proof: Let a be an execution fragment of the VEHICLES automaton of n steps, where n € N, 
that: starts in a state in W;, is only comprised of states in R;, involves no input actions on 
port 7, and has a limit time equal to zero. Moreover, let pini¢ and Pfingi be the initial and 
final states of a, respectively. By induction on the length n of the execution fragment a, 


we show that pfna € Wi. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pfnal = Pinit. Since Pinit € Wi, 
it follows that Dyna € Wi. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, then pfnai € W;. Let a’ be the part of the execution fragment a comprised 
of the first & steps. The induction hypothesis involves the assertion that if Prinal is the final 
state of a’, then it is the case that Prinal € W;. Since the final state of a is reached from the 
final state of a’ by a single step, the inductive step involves the consideration of all possible 


steps leading from Prnal tO Pfinal- 


To complete the induction, we consider all possible discrete actions by cases: 


1. the actions brake(?); and unbrake(?); are not enabled because a involves no input 


actions on port 7. 


2. the actions brake(7’);,, unbrake(?’),, for 7’ € I,j' € J,j’ # J, affect neither the 


velocity of any of the vehicles, nor the variables collided(i,i”), for «” € It" £4. 


From the induction hypothesis, it is the case that Prinal € W;. Since the actions 
brake(i’);,, unbrake(i’);,, for i’) € I,j’ € J,j’ # Jj, do not affect the variables 
collided(i, i”), for i” € 1,0” F 2, it follows that pgngi € Gi. 


Moreover, the actions brake(?’);; and unbrake(7’),, for ’ € 1,7’ € J,j' # j, do not 
affect the velocity of any of the vehicles, i.€., Dfinal-@it = Peng tiv, for all 7” € LT. From 
Lemma 4.4.3, part 1, it follows that the section of the track owned by each of the 
vehicles does not grow, 1.€., Pfinal-Oin C Pinal Oi" > for all 7” € I. Since Prinal € W;,, the 
sections of track owned in state Prinal by the vehicle 7 does not overlap the sections of 
track owned by any of the vehicles it trails. From above however, Pfing-Oin C Pinar Oi" 
for all i” € J, and, therefore, the same applies for the state pgnai. 


Finally, since all states in a are, by definition, restricted to the set R;, it follows that 


Pfinat © Wj. 


3. the brick-wall(2’) actions, for t’ € I, set the velocity of the vehicle 7’ to zero and 
affect neither the variables collided(i,i"), for i” € I,i” 4 i, nor the velocity of any of 


the other vehicles, t.€., Pfinal-@i = Pinal til" for all” € L,u” Av. 
Without loss of generality, consider a particular brick-wall(?’) action, for some @’ € I. 


From the induction hypothesis, it is the case that Prnal € W;. Since the brick-wall(i’) 
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action does not affect the variables collided(i,i”), for i” € I,i” # i, it follows that 
Pfinal © Gi. 

The brick-wall(i’) action sets the velocity of the vehicle i’ to zero. Therefore, since 
the vehicle velocities are restricted to be non-negative, it is the case that pgnq.ty < 
Prnartit- From Lemma 4.4.3, part 1, it follows that pgna-Oi C PengrOiv- Moreover, 
since the brick-wall(7’) action does not affect the velocity of any of the other vehicles, 
it is the case that Pyinal-ti = Pen gi-tir, for all t” € T,t" # wv. Again, from Lemma 4.4.3, 
part 1, it follows that the section of the track owned by any of the vehicles other than 
i’ does not grow, 1.€., PfinalOim © Png rOim, for all” € L,2" wv. 

Since Prnal € W;, the sections of track owned in state Prnal by the vehicle 2 does 
not overlap the sections of track owned by any of the vehicles it trails. From above 
however, Pfinal-Oim © PfngrOiv, for all i” € I, and, therefore, the same applies for the 
state Pfnal- 

Finally, since all states in a are, by definition, restricted to the set R;, it follows that 
Pfinat © Wj. 


4. the actions colliding-pair(?’,7”), for 2’,2” € [,2’ # t”, and collision-effects(i”’), 


“ 


for 7” € I, are not enabled because a is only comprised of states in R; and Prinal Ee W;. 


Lemma 6.2.8 W; C safe,. 


Proof: From the definition of safe in Section 3.2.1, we must show that any state p € W; 
satisfies: (i) future;(p,0) C Gj, and (ii) there exists some action 7 such that for every 


p',p” € R; satisfying p’ € future;(p,0) and p' ++ p”, it is the case that p” € very-safe,. 


(i) The first condition follows from Lemma 6.2.7, Lemma 6.2.1, part 1, and the fact that 
pe Wj. 


(ii) For the second condition, consider the state p” that follows from p’ after a brake(7); 
action is executed, 7.e., let t = brake(7);. Since the brake(7); action does not affect the 
velocity of the vehicle 7, it is the case that p”.O; = p’.O;. However, from Lemma 6.2.7 and 
the fact that p € W; it follows that p’ € W;. Since (i) p’ € Wj, (ii) the execution fragment 
a is restricted to the set R;, and (iii) the brake(7); action affects neither the variables 
collided(i, i’), for 2’ € Ia’ # 7, nor the velocity of any of the vehicles (and, therefore, nor 
the section of the track owned by any of the vehicles), it follows that p” € W;. Moreover, 
since p” follows from p’ after a brake(7); action, it is the case that p” € Pp,,. From the 
above conditions, it follows that p” € V;. Finally, Lemma 6.2.5 implies that p” € very-safe,, 
as needed. a 


Lemma 6.2.9 For any p € R;, if p € safe; then p € W;. 
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Proof: We show the contrapositive; that is, for any p € R;, if p g W; then p ¢ safe;. Since 
W, = {pe RAG; | ft el £i:pO;npOy 40 A pa; < pay} and p € R;, we 
consider the condition p ¢ G; and the condition that there exists 7’ € Ii’ # i, such that 
p.O,0 p.Ow ZO and p.x; < p.xyr. 


1. p€ Gj. 
From Lemma 3.2.4, part 1, it is the case that safe; C G;. Since p ¢ Gi, it follows that 
pé€ safe;. 

2. 40 €7,i Ai, such that p.O;N p.Oy ZO and p.x; < p.x;. 


Without loss of generality, let 7’ € I,7’ Z i, be the vehicle that satisfies the conditions 
p.O, 0 p.O» ~O and p.z; < p.xy. Since p € VALID, it is the case that the vehicles in 
state p have no positive length extent overlap and, therefore, there is only one vehicle 


, for’ € I,’ Ft, satisfying the conditions p.O;N p.Ow ZO and p.x; < p.xy. 


We must show that p ¢ safe;, However, p € safe; implies that there exists some 
input action 7 on port j such that for every p’,p” € R; satisfying p’ € future,(p,0) 
and p’ +p", it is the case that p” € very-safe;. Therefore, it suffices to show that 
for any input action 7 on port j, there exist p’,p” € R; satisfying p’ € future,(p, 0) 
and p’ —> p", such that p” ¢ very-safe;. We consider each input action 7 on port j 


separately. 


(a) 7 = brake(?);. 

Consider the state p’ € R; that is reached from the state p through the execution 
of the action brick-wall(i’) and satisfies the condition p’.¢; = 0; that is, p’ € R; 
such that p’.¢;, = 0 and p’.%, = 0. 

Since the actions brick-wall(7’) and brake(7); affect neither the position, nor 
the velocity of the vehicle 7, it is the case that p”.2; = p'.2; = p.2; and p”.2; = 
p'.«; = p.2;. Therefore, since the section of track owned by the vehicle 7 depends 
only on the position and the velocity of the vehicle 7, it is the case that p’.O; = 
p'.O; = p.O;. Similarly, since the brick-wall(2’) action does not affect the 
position of the vehicle 7’ but sets its velocity to zero and the brake(i); action 
affects neither the position, nor the velocity of the vehicle 7’, it follows that 
pl cy = pay = p.cy and p".a, = pa; = 0. Therefore, since p.O; A p.Oy F 0, 
p".O; = p.O;, and p".2; = p.vj, it is the case that p”.ay € p”.O;. 

Now, consider the evolution of the VEHICLES automaton following the state p” 
in which the vehicle 7’ remains stationary. Since p”.a; € p”.O;, it follows that 
at some state of such an evolution the action colliding-pair(i, 7’) is enabled 
and, subsequently, executed. The state of the VEHICLES automaton following the 
execution of the action colliding-pair(?, i’) would, therefore, not be in G;. It 


follows that p” ¢ very-safe; which implies that p ¢ safe;. 
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(b) m = unbrake(?);. 

Consider the state p’ € R; that is reached from the state p through the execution 
of the actions brick-wall(i’) and unbrake(‘),,, for all j’ € J, 7’ # j, and satisfies 
the condition p’.a; = 0; that is, p’ € R; such that p’.ay = 0, pa) = 0, and 
p'.brake-req(i, j’) = False, for all j’ € J,j’ 4 J. 

Since the actions brick-wall(7’) and unbrake(?),/, for all 7’ € J, affect neither 
the position, nor the velocity of the vehicle 7, it follows that p”.2; = p'.2; = p.2; 
and p’.2; = p'.2; = p.«;. Therefore, since the section of track owned by the 
vehicle 7 depends only on the position and the velocity of the vehicle 7, it is 
the case that p”.O; = p'.O; = p.O;. Similarly, since the action brick-wall(7’) 
does not affect the position of the vehicle 2’ but sets its velocity to zero and the 
actions unbrake(i),/, for all 7’ € J, affect neither the position, nor the velocity 
of the vehicle 7’, it follows that p’.a, = pl.ay = p.vy and p".a)9 = pi.ay = 0. 
Therefore, since p.O; N p.O; 4 9, p".O; = p.O;, and p".x, = p.x;1, it is the case 
that p”.2j € p”.O;. 

Now, consider the evolution of the VEHICLES automaton following the state p” 
in which the vehicle 7 moves forward and the vehicle 2’ remains stationary. Since 
pay € p".O;, it follows that at some state of such an evolution the action 
colliding-pair(?,i’) is enabled and, subsequently, executed. The state of the 
VEHICLES automaton following the execution of the action colliding-pair(i, ’’) 


would, therefore, not be in G;. It follows that p” ¢ very-safe; which implies that 
pé€ safe;. 


Thus, for any input action a on port j, there exist p’,p” € R; satisfying p’ € 
uture.(p,0) and p’ +p”, such that p” ¢ very-safe,. It follows that safe;, as 
iWP, Pp P, Pp Y i Pp io 


needed. 
a 
Corollary 6.2.10 W; = safe,. 
Proof: Follows directly from Lemmas 6.2.8 and 6.2.9. | 


In the next few lemmas, we show that any state pin the set 7;(t), for any t € R2°, is in the 
set delay-safe;(t); that is, any state R;-reachable from p within an amount of time ¢ through 
an execution fragment that involves no input actions on port j, is in the set G; and any 
state R;-reachable from the state p in exactly an amount of time ¢ through an execution 


fragment that involves no input actions on port j, is in the set safe;. 


Lemma 6.2.11 Let p € T;(T), where rT € R2°, and p! € future;(p,t), where t € [0,7]. If 
p’ € G; and p'.C;(r — t) C p.Ci(r), then p’ € T;(r — t). 
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Proof: We need to show that p’ € R; 1G; and that there does not exist i’ € I,i’! #7 such 
that p’.Ci(r —t) A p'.Co(r — t) #0 and p’.x; < p’.xy. We consider the conditions by cases: 


1. p' € Rj. 
This is the case because the function future,;(p,t) only considers R;-reachable states. 
2. p € Gj. 


This is true by assumption. 


3. Av eI, Zi, such that p.Ci(7 — t) A p!.Cy(r —t) 4 O and pla; < play. 
Because p € T;(7) we have that for all 2’ € J,’ 4 i, such that p.a; < p.aj, it is the 
case that p.Ci(T)M p.Cy(7) = 9; that is, for all 2’ € I, 2’ #2, such that p.a; < p.vy, it 
is the case that max(p.C;(7)) < min(p.Cj(7)). However, by assumption it is the case 
that p’.C;(7 —t) C p.Ci(7). Therefore, since the vehicle velocities are restricted to be 
non-negative, it follows that for all 7’ € I,’ # i, such that p’.2; < p’.vy, it is the case 
that max(p’.Ci(7 — t)) < min(p’.Cy(7 — t)). This is sufficient to guarantee that there 
does not exist ?’ € I, i’ # i, such that p’.Ci(r —t) N p'.Cy(7 —t) 4 0 and p'.a; < play. 


Lemma 6.2.12 For all p € T;(r), where tT € R2°, and p' € future;(p,t), where t € [0,7], it 
is the case that p' € G; and p'.C,(r — t) C p.C(r). 


Proof: Let rT € R2° and a be an execution fragment of the VEHICLES automaton of n steps 
and trajectories, where n € N, that: starts in a state in 7;(7), is only comprised of states 
in R;, involves no input actions on port j, and has a limit time ¢ that lies in the interval 
[0,7]. Letting pjniz and pfnai be the initial and final states of a, respectively, we must show 
that pina € Gi and pfnat-Ci(t — t) C pinit-Ci(7). The proof is by induction on the length n 


of the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfnal = Pinit 
and a.ltime = 0, i.e.,¢ = 0. From Lemma 6.2.1, part 1, and the fact that pini € T;(7), it 
follows that pgngi C Gj. Moreover, since t = 0, the fact that pfna-Ci(t — t) © Pinit-Ci(7) is 


trivially true. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, with a.ltime = t, where t € [0,7], then pgng € Gi and pfnal-Ci(t — t) C 
Pinit-Ci(T). Let a’ be the part of the execution fragment a comprised of the first & steps 
and trajectories and let a’./time = t’, where t’ € [0,t]. The induction hypothesis involves 
the assertion that if p’,,,, and Prinal are the initial and final states of a’, respectively, then it 


is the case that py) € Gi and Peng Ci(T — U) C pinip-Ci(7). Moreover, from Lemma 6.2.11 
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it follows that py.) € Ti(t —t’). Since the final state of @ is reached from the final state of 
a’ by a single step or trajectory, the inductive step involves the consideration of all possible 


steps and trajectories leading from Prinal tO Pfinal- 


In the case of a step, keeping in mind that the limit times of a’ and a are equal, i.e., t/ = t, 


we consider all possible actions by cases: 


1. the actions brake(?); and unbrake(?); are not enabled because a involves no input 


actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle 2 to zero and does not affect 
the variables collided(i, i’), for 7’ € I, i’ i. 


From the induction hypothesis, it is the case that Prnal € G;. Therefore, since the 
internal action brick-wall(i) does not affect the variables collided(i, 7’), for i’ € I, 1’ F 


2, it follows that pfinai € Gi. 


Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that Pfinal-®i < Pinal ti+ From Lemma 4.4.3, part 2, it follows that pgng.Ci(7 — 
t) ¢ Plinal'CilT — t'). However, from the induction hypothesis it is the case that 
PlinatCilT —t') Cpl ,Ci(r). Therefore, since pinit = p'.,;4 1t follows that pfna-Ci(T — 
t) C pinit-Ci(7), as needed. 


3. the actions brake(7’),;/, unbrake(?’),, for ’ € I,7’ € J,j’ # j, and brick-wall(i”), 
for *” € T,i” F %t, affect neither the velocity of the vehicle i, nor the variables 
collided(i, i”), for vu” € Ti” Fi. 


From the induction hypothesis, it is the case that Prinal € G;. Therefore, since the 
actions brake(?’);, unbrake(i’);,, for i’ € Ij’ € J,j’ # j, and brick-wall(i”), for 
” € Tt" F i, do not affect the variables collided(i, i”), for i” € 1,7” # 1, it follows 
that Pfinal € Gi. 


Moreover, since the input actions brake(?’),,, unbrake(7’);, for i’ € I,j’ € J,j' # J, 
and the internal actions brick-wall(i”), for i” € I,i” # i, do not affect the velocity 
of the vehicle 7, it is the case that pfingl.@j = Pinal ti+ From Lemma 4.4.3, part 2, it 
follows that pgng-Ci(7 —t) C PlinatCilT —t'). However, from the induction hypothesis 
it is the case that PlinatCilT —t') C p-Ci(r). Therefore, since pinit = p,;4, it follows 
that pnal-Ci(7 — t) C Pinit-Ci(7), as needed. 

4. the actions colliding-pair(7’,i”), for i’, i” € I,t’ Zt", and collision-effects(i”’), 


uw 


for 2” € I, are not enabled because a is only comprised of states in R; and Prinal € 


T(r —t’). 


In the case of a trajectory, Lemma 4.4.4, part 2, implies that pgngi-C;(7 —t) C PhinatCilT —€’). 
However, from the induction hypothesis it is the case that PlinatCilT —t') C piiCi(t). 
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Therefore, since Pinjt = Pyyjz, it follows that pfinat-Ci(t — t) C Pinit-Ci(7). Moreover, since 
Prnal € G; and the variables collided(i, i’), for all ¢’ € I, i’ # i, remain constant throughout 
the trajectory, it follows that pgna € Gi, as needed. | 


Lemma 6.2.13 For r € R2° and t € [0,7], it is the case that future;(T;(7),t) C Ti(r — t). 


Proof: Follows directly from Lemmas 6.2.11 and 6.2.12. | 


Lemma 6.2.14 For allt € R2°, it is the case that T;(t) C delay-safe;(t). 


Proof: We need to show that future;(T;(t), [0,t]) C G; and future,;(7,(t),t) C safe; The 
first condition follows directly from Lemma 6.2.13 and Lemma 6.2.1, part 1. For the second 
condition, from Lemma 6.2.13 and Lemma 6.2.1, part 3, it is the case that future,(7;(1),t) C 
W;. Therefore, Lemma 6.2.8, implies that future;(T;(t),t) C safe;, as needed. | 


In the following lemma, we show that the CL-PROT-SOLO; protector implements the pro- 
tector Abs( VEHICLES, 5;, R;,G;,7,d). Since the protector automata CL-PROT-SOLO; and 
Abs; involve the composition of the same sensor automaton with distinct discrete con- 
troller automata, it suffices to show that the discrete controller automaton of the protector 


CL-PROT-SOLO; implements the DC(vEHICLES, 5;, R;, Gi, 7, d) automaton. 
Lemma 6.2.15 CL-PROT-SOLO; < Abs( VEHICLES, 5;, Rj, Gi, J, d). 


Proof: Both the CL-PROT-SOLO; and the Abs; protectors involve the composition of the 
same sensor automaton with distinct discrete controller automata. From Theorem 2.7.4, it 
suffices to show that the discrete controller automaton of CL-PROT-SOLO; implements DC. 
This is shown by a simulation from the discrete controller automaton of CL-PROT-SOLO; to 


DC). 


As in the overspeed case, the mapping between the states of the discrete controller automa- 
ton of CL-PROT-SOLO; and DC; is almost the identity. In the discrete controller automaton 
of CL-PROT-SOLOj;, the variable send; is equal to either one of the labels brake and unbrake, 
or the value null. In the abstract discrete controller automaton, these valuations simply 


map to either the actions brake(7); and unbrake(7);, or the value null, respectively. 


The start states for the discrete controller automaton of CL-PROT-SOLO; and DC’; are the 
states in which send; = null. These are mapped to each other according to the mapping 


discussed above. 


Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the VEHICLES automaton that corresponds 
to y, ue, p€ VALID and pl Yvenicuns = Y- 
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1. The snapshot(y); action of the implementation sets send; to brake, or unbrake. In 
order to show that the behavior of the implementation is allowed by the specification, 
we must show that the input action snapshot(y); of the implementation sets the 
value of the send; variable in such a way that the subsequently enabled action 7 of 
the implementation (i) guarantees that for all p’,p” € R; such that p’ € future,(p, 0) 
and p’ + p", it is the case that p” € delay-safe,(d), if p € safe;, and (ii) is an arbitrary 


output action of the implementation, otherwise. 


First, consider the case in which p € safe;. Since Corollary 6.2.10 implies that p € W;, 
the discrete controller automaton of CL-PROT-SOLO; sets the variable send; according 
to whether the state p is in 7;(d), or not. 


On one hand, if p ¢ T,(d) then the discrete controller automaton of CL-PROT-SOLO; 
sets the variable send; to brake and the brake(?); action is enabled. However, since 
p € W;, Lemma 6.2.7 implies that p’ € W;. Moreover, since the brake(?); action affects 
neither the velocity of any of the vehicles, nor any of the collided variables, it follows 
that p” € R;, p” € G;, and p”.«; = p'.2;. Therefore, Lemma 4.4.3, part 1, implies 
that p”.O; C p’.O;. From the above conditions and the non-negative constraint on the 
vehicle velocities, it follows that p” € W;. Moreover, since the brake(2); action sets 
the brake-req(i, 7) variable to True, it follows that p” € V;. Finally, from Lemma 6.2.6 
it follows that p” € delay-safe;(d), as needed. 


On the other hand, if p € 7;(d) then the discrete controller automaton of the protector 
CL-PROT-SOLO; sets the variable send; to unbrake and the unbrake(7); action is 
enabled. However, since p € 7T;(d), Lemma 6.2.13 implies that p’ € T;(d). Since the 
unbrake(7); action affects neither the velocity of any of the vehicles, nor any of the 
collided variables, it follows that p” € R;, p” € G;, and p”.«; = p'.a;. Therefore, 
Lemma 4.4.3, part 2, implies that p’.C,(d) C p’.Ci(d). From the above conditions 
and the non-negative constraint on the vehicle velocities, it follows that p” € T;(d). 


Finally, from Lemma 6.2.14 it follows that p” € delay-safe,(d), as needed. 


Next, consider the case in which p ¢ safe;. In this case, the snapshot(y); action of 
the discrete controller automaton of CL-PROT-SOLO; sets the variable send; to either 
brake or unbrake and, subsequently, enables either the action brake(7);, or the action 
unbrake(7);. However, when p ¢ safe;, the DC; automaton sets the variable send; 
arbitrarily and, subsequently, enables an arbitrary output action. Therefore, the 
behavior of the discrete controller automaton of CL-PROT-SOLO; is allowed by that of 
the DC; automaton. 


Therefore, the effects of the snapshot(y); action of the implementation are allowed 


by its specification. 


2. The brake(?); and unbrake(7); actions have identical effects in both discrete controller 


automata. When the send; variable matches the label brake or unbrake or the action 
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brake(i); and unbrake(7);, respectively, the respective action is performed and the 


send; variable is set to nullin both discrete controller automata. 


3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
CL-PROT-SOLO; and the DC; automaton prior to and succeeding the execution of the 


environment action remains the same. 


Corollary 6.2.16 The protector CL-PROT-SOLO; guarantees G; in the VEHICLES automaton 


starting from $; given R;. 


Proof: Follows directly from Lemma 6.2.15 and Theorem 3.2.9. | 


6.3. Protection System CL-PROT 


We now define the collision protector CL-PROT. While considering the CL-PROT automa- 
ton, we restrict the states of the VEHICLES automaton to the set Prot-overspeed aS defined in 
Section 4.2, t.€., Ror-pror = Prot-overspeed- Let Ger-pror and Scy-pror be the intersection of 
G; and S;, for all « € I, respectively, and CL-PROT be the composition of the protectors 
CL-PROT-SOLO;, for all 2 € J. The protector CL-PROT guarantees that the VEHICLES au- 
tomaton remains within Go.-pror starting from Soy-pror given Rop-pror. For reference, the 
formal definitions of the CL-PROT automaton and the sets Goz-pror, Sct-protr, and Reop-prot 


are shown in Table 6.2. 


Lemma 6.3.1 The protector CL-PROT guarantees Gco-pror in the VEHICLES automaton 


starting from Sor-pror given Re.-pror- 


In the following proof, we show that all the states of an execution of PPX CL-PROT starting 
from Scr-pror given Roy-pror are in Goppror- This is done by applying Theorem 3.1.8 and 


showing that the second condition of the theorem does not hold. 


Proof: Let a be any execution of the system PPX CL-PROT starting from a state in So.-pror 


and in which all states are in Ro,pror- 


From Theorem 3.1.8, one of the following holds: 


1. Every state in a@ is in Go-pror = (je 7 Gi: 


2. a can be written as a, ~ a2, where 
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Table 6.2 Formal definitions of CL-PROT, Goy_prot, Scy-pror, and Rez-pror: 


CL-PROT = II CL-PROT-SOLO; 
tel 


Ge.-prot = () Gi; 
wer 


ScL-PROT = () 5; 
wer 


Rot-pror = Prot-overspeed 


(a) All state occurrences in a, except possibly the last state occurrence are in the 
set Geo.-pror = ‘a ier Gj. 

(b) If the last state occurrence in a; is in Gj, for some i € J, then there exists 
i €J,i' # i, such that the last state occurrence in a, is in Gy. 

(c) All state occurrences in ag except possibly the first state occurrence are in the 
set Vien past(G;,a), for some N C I, where |N| > 2. 


We proceed by showing that it is not possible to decompose a as a, ~ ag while satisfying 


the three aforementioned conditions. 


The violation of (};-, G; can only occur through the violation of at least one of the 
conditions G;, where i € I. Moreover, each of these conditions are violated only through 
the execution of a colliding-pair action. Without loss of generality, suppose that the first 
condition that is violated in a is the condition G;, for some 7 € J, and that such a violation 
has resulted through a colliding-pair(#, ?’) action, for some é’ € I,i’ #7. Let p and p’ be 
the states of the VEHICLES automaton prior to and succeeding this colliding-pair(?, 2’) 
action, t.e., p,p’ € Ropror such that p—+p’, where 7 = colliding-pair(?,i’). Since 
the colliding-pair(i, i’) action only sets the collided(i, i’) variable to True, it follows that 


peal) (n WE Titi Gir). Now, we attempt to decompose a as a, ~ ag: 


1. Suppose we split a at any state preceding the state p. Then the state pis in ag. Since 
p’ is the first state in which one of the conditions Gj, for 7” € I, is violated, it is the 
case that p € (] j ¢, Gi and there does not exist N C J such that |N| > 2 and pé€ 
Oien past(G;,a). Therefore, the third condition is violated and this decomposition 


of a is not valid. 
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2. Suppose we split a at the state p. Then the state p’ is in ag. Since p’ is the first 
state in which one of the conditions Gj, for i” € J, is violated and since the state 
pis in Gif) (n WE Li ti Gir), it follows that there does not exist N C I such that 
IN| > 2 and p' € (jen past(G;,a). Therefore, the third condition is violated and 


this decomposition of a is not valid. 


3. Suppose we split a at the state p’. Then p’ is the last state of a, and the first state of 
az. However, p! € Gi () (n ME Lindi Gin) . Therefore, the second condition is violated 


and this decomposition of @ is not valid. 


4. Suppose we split a at any state succeeding p’. Then the state p’ is in a ,. Since 
peat (N € L,i"'ti Gu), it is the case that p’ ¢ (|<; Gi. Therefore, the first 


condition is violated and this decomposition of @ is not valid. 


Therefore, the execution a cannot be decomposed into any such a, and a2. It follows 
that the first clause of Theorem 3.1.8 must hold; that is, every state in @ is in Goz-pror. 
This implies that the protector CL-PROT guarantees Go.pror in the VEHICLES automaton 


starting from Sor-pror given Rez-pror- |_| 
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Chapter 7 


Example 3: 
Collision Avoidance on Merging 
Tracks 


This chapter treats collision avoidance among vehicles that are traveling on a track involving 
a binary merge. We first augment the model of the PRT 2000™ to involve a track topology 
consisting of two merging tracks — the new model is referred to as the MERGE-VEHICLES 
automaton. Then we define the protector MERGE-PROT that guarantees that none of the 
vehicles of the MERGE-VEHICLES automaton collide, assuming that they are all abiding 
by the speed limit. The MERGE-PROT protector is defined as the composition of n(n — 
1)/2 separate copies of another protector called MERGE-PROT-PAIR s; jy, one copy for each 
unordered pair {7,7i’} of vehicles of the MERGE-VEHICLES automaton, for i,’ € [,i 4 wv. 
Each of these MERGE-PROT-PAIR{; ; protectors, for ¢, ve 7,i147, is an implementation of 
a particular instantiation of the abstract protector automaton of Section 3.2 and guarantees 


that the vehicles 2 and #’ do not collide into each other. 


7.1 Augmented Physical Plant: MERGE-VEHICLES 


In this section we augment the model for the system of n vehicles to involve a merge of two 
sections of track. We replace the position component of a vehicle’s state with a location 
component — a component that specifies the track on which the vehicle is traveling and 
the vehicle’s position with respect to the merge point — and update the definitions of 
the discrete steps and the trajectories of the VEHICLES automaton to handle the location 
variables. We replace the brake and unbrake input actions of the VEHICLES automaton 
with protect input actions which allow single protectors to instruct multiple vehicles to 


apply their “emergency” brakes. Finally, we augment the definitions of the discrete actions 
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pertaining to vehicle collisions such that the blame for a particular collision is assigned to 
either only the trailing vehicle, if one vehicle collides into the other vehicle from behind, or 


both vehicles, if the vehicles collide sideways while merging. 


The set of track locations in the VEHICLES automaton was a line. In the case of a binary 
merge, the set of locations is a Y-shaped track — two incoming branches and one outgoing 


branch. We define the set of locations LZ as follows: 


L = ({left, right} x R<°) U ({out} x R2°) 


Each location /, for | € LE, is comprised of two components; the first component represents 
the branch of the track on which the vehicle is traveling and the second component represents 
the position of the vehicle with respect to the merge point. The locations on the top branch 
of the merge have the label left and a negative real number as their respective components. 
Similarly, the locations on the bottom branch of the merge have the label right and a 
negative real number as their respective components. The locations on the merged section 
of the track are specified by the label out and a non-negative real number. The point 
(out, 0) is the first point on the merged section of the track that no two vehicles can occupy 
simultaneously. For notational brevity, we use /.6 and /.x to denote the branch and the 


position components of the location /, respectively. 


We define a partial order on L, as follows. If (61,21) and (bg, x2) are locations in L then 
(b1, 21) < (62,22) if and only if 21 < v2 and either b; = b2, or bz = out. In other words, 
two locations are incomparable if one specifies a location on the left branch and the other 
specifies a location on the right branch; otherwise, they are comparable and their order is 


given by the ordering on their real component. 


A closed interval in Z is specified with an ordered pair of locations that are comparable, 
e.g., [((left, —1), (out, 2.5)], and contains all locations between them. Addition with non- 
negative scalars on L is defined as follows: if (b,x) is a location in ZL and y € R2°, then 
(b,x) +y is equal to (b,a+y) if «+ y is negative, and (out, «+ y) otherwise. It is important 
to note that for all y € R2°, (b,2) + y exists and (b,2) < ((b,z) + y). 


The automaton MERGE-VEHICLES of Figure 7.1 models a physical system of n vehicles 
traveling on a track involving a Y-shaped merge. The MERGE-VEHICLES automaton is the 
result of augmenting the VEHICLES automaton of Chapter 4 to allow for the Y-shaped track 
topology. 


In the new model, each of the position components x; of the state of the VEHICLES automaton 
is replaced with the corresponding location component J;. This entails simply replacing the 
occurrences of 2; with J;.2. The derived variables stop-dist;, max-range;(t), and max-vel;(t), 
for i € I and t € R2°, defined for the VEHICLES automaton in Section 4.3, carry over 


unchanged to the MERGE-VEHICLES automaton. The derived variables F;, O;, and C;(t), 
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Figure 7.1 The MERGE-VEHICLES automaton. 


Actions: 


Input: 
e, the environment action (stuttering) 
protect(C);, for all CE PU), j € J 


Internal: 
colliding-pair(i, 2’), for all 2,7’ € T,i' #2 
collision-effects(2), for alli Ef 
brick-wall(z), for alli ef 


Discrete Transitions: 


protect(C), 
Eff: for allz eC 

brake-req(t, 9) := True 

if mbrake(2) then 
brake(i) := True 
if z; =0 then 7%; :=0 

else 2%; := Chrake 
for allie J-—C 
brake-req(t, 7) := False 


if brake(t) A(A Vi es brake-reqi, k)) then 


brake(2) := False 


Ey rE [Cmin, Emac| 


Trajectories: 


Variables 


Internal: 
£; ER, for all 2 € J, initially #; € R 
brake(2) € Bool, for all i € J, 
initially False 
brake-req(t, 7) € Bool, for alli € 1,9 € J, 
initially False 
Output: 
l; € L, for all « € J, initially l; € £ 
z; ER, for all 2 € J, initially «; € R 
collided(i, t') € Bool, for all 2,7’ € I,1’ 41, 
initially False 
subject to VALID 


colliding-pair(i, 2’) 
Pre: acollided(i, 1’) 
A(E; Ny A 0) 
A(ki < min(£; al Ey)) 
Eff: collided(i, 1’) := True 
if (j.b A Uy.b) 
A(k.b Z out) A (l.6 F out) 
then 
collided(2’, i) := True 


collision-effects(1) 
Pre: collided(*, i, *) 

Eff: #; :€ R2° 
£,:ER 


brick-wall(1) 
Pre: True 
Eff: «; :=0 
if brake(t) then #; := 0 
else 2; :€ [0,Cmaz] 


for all i,2’ € 1,1 42’, collided(i,2’) is constant throughout w 
for alli € [ and 7 € J, brake(i) and brake-req(t, 7) are constant throughout w 


for all 2,2, CT,2 Ad! 
the function w.z#; is integrable 
for all t € T; 


if sw. collided(1, 1’) 
A(w(t).£; N w(t). By 4 oO 


) 
A(w(t).4; < min(w(t).£; 9 w(t). Ej) 


then 
t= w.ltime 


subject to VALID 


for i € I and t € R2°, defined for the VEHICLES automaton in Sections 4.1 and 4.3, extend 
to the MERGE-VEHICLES automaton by replacing the position variables with their location 


counterparts. 


In the VEHICLES automaton, a collision between two vehicles is recorded solely by the 
trailing vehicle — as if it is the only vehicle blamed for the collision. The rationale behind 
this approach is that the trailing vehicle is the only vehicle that is capable of preventing a 
collision through braking; that is, the trailing vehicle is liable for the collision. This rationale 
carries over to the MERGE-VEHICLES automaton with the exception that in the MERGE- 
VEHICLES automaton it is possible for two vehicles to collide sideways while merging. In such 
situations, it is not clear which vehicle is liable for the collision and, therefore, the collision is 
recorded by both vehicles involved in the collision. This is done by augmenting the effects of 
the colliding-pair(i, ’’) actions, for 7,7’ € I,i £ 2’, so that a colliding-pair(?, 2’) action 
sets both the variables collided(i, i’) and collided(t’,i) to True when the vehicles i and 7’ are 
colliding sideways while merging. If indeed the vehicles i and 7’ are colliding sideways while 
merging, although both of the actions colliding-pair(?, ‘’) and colliding-pair(?’, 7) are 
enabled, only one of them is actually executed and neither of them is enabled thereafter. 
The interpretation of the collided(i, i’) variables, for 7,7’ € 1,7 4 7, still remains the same; 
that is, each of the variables collided(i, i’), for i,i’ € I,i Z 1’, denotes whether the vehicle i 
has collided into the vehicle i’. However, if collided(i, i’) = True and collided(i’,i) = False, 
then it follows that the vehicle i has collided into the vehicle 7’ from behind, where as, if 
collided(i, i’) = True and collided(i’,i) = True, then it follows that the vehicles 7 and ¢’ have 


collided sideways while merging. 


The brake(7); and unbrake(?); actions of the VEHICLES automaton, for i € I and 7 € J, 
are replaced by the protect(C’); actions, for C € P(1) and 7 € J. These actions enable a 
protector 7 to instruct each of the vehicles in the set of vehicles C to apply its “emergency” 
brakes. If a vehicle ¢ is a member of C’ then it is requested to brake by the protector 7, 
emulating a brake(?); action of the VEHICLES automaton; otherwise, any previous request 
of the protector j to brake the vehicle 7 is revoked, emulating an unbrake(?); action of the 


VEHICLES automaton. 


As in the case of the VEHICLES automaton, the set of input actions of the MERGE-VEHICLES 
automaton includes the actions protect(C),, for C € P(1) and j € J; that is, the MERGE- 
VEHICLES automaton allows each protector 7, for 7 € J, to brake any subset of the vehicles. 
However, it is often the case that a protector 7, for some 7 € J, need not schedule but a 
subset of the actions protect(C);, for C € P(L). In such cases, the protector j is specified 
as having only the output actions that it is capable of scheduling and the remaining input 


actions of the MERGE-VEHICLES automaton on port j are ignored. 


The remaining state variables and discrete actions of the VEHICLES automaton as well as the 
notational shorthand collided(i, +), collided(+*,i), and collided(*,i,*), for all « € I, defined 
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for the VEHICLES automaton in Section 4.1, carry over to the MERGE-VEHICLES automaton 


unchanged. 


In the case of the trajectories of the MERGE-VEHICLES automaton, it is important to note 
that due to the nature of the set of locations [, as the vehicles travel past the merge point, 


the branch component of their location variables changes from either left, or right to out. 


Finally, we redefine the set VALID to account for the new track topology. 


VALID C states(MERGE-VEHICLES), defined as the set of states of the MERGE-VEHICLES 


automaton that satisfy the following conditions: 


1. Ai, € 1,14 7%, such that the set LE; Ey is a positive length closed interval 
of L. 


. &; > 0, for all a € If. 


3. If acollided(+,i,*) then #; € [€min, Emax], for all ¢ € I. 
. If scollided(*,t,*) A brake(i) then if 4; = 0 then #; = 0 else &; = €hyane, for all 
wed, 


The MERGE-VEHICLES automaton complies with the assumptions made about the PP au- 
tomaton in Section 3.2.1. The MERGE-VEHICLES automaton has neither input variables, 
nor output actions, on any of its ports (Axioms 3.2.1 and 3.2.2, respectively). Moreover, 
each of the actions protect(C;);, for j € J and C; = {i | brake-req(i, j) = True}, is a no-op 
input action on port j for any R C VALID. Therefore, the set of no-op input actions on 
each port 7 € J and any Rk C VALID is non-empty (Axiom 3.2.3). 


Henceforth, we assume that the sets disjoint-extents(i, i’), disjoint-owned-tracks(i, i’), and 
disjoint-claimed-tracks(i, i’, t), for i,i’ € I,i # wv’ and t € R2°, defined for the VEHICLES 
automaton in Section 4.3, have been extended to the MERGE-VEHICLES automaton to in- 
corporate the redefinitions of the derived variables used in their definitions. Moreover, we 
assume that the Lemmas 4.4.1, 4.4.2, 4.4.3, 4.4.4, and 4.4.5 extend to the MERGE-VEHICLES 


automaton in the obvious way. 


7.2 Auxiliary Sets for the MERGE-VEHICLES Automaton 
This section presents several auxiliary sets for the MERGE-VEHICLES automaton that are 
comprised of states that satisfy particular properties. While their formal definitions appear 


in Table 7.1, their informal descriptions follow. 


comparable(i, 2’), for i,2’ € I,7 #4 v’, is the subset of VALID comprised of the states in which 


the locations of the vehicles 7 and 7’ are comparable. 
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incomparable(i, i’), for i,t’ € I,i 4 w’, is the subset of VALID comprised of the states in 


which the locations of the vehicles 7 and 7’ are not comparable. 


yteld-comparable(i, i’), for i,t’ € I,i # wv’, is the subset of comparable(i, i’) comprised of 


the states in which, in the case of a claim overlap between the vehicles i and 2’, the 
vehicle ¢ must yield to the vehicle 7’. When the locations of the vehicles i and 7’ are 
comparable, the vehicle 7 must yield to the vehicle 2’ if the location of the vehicle 7 is 


strictly less than the location of the vehicle 7’. 


yield-incomparable(i, 1’), for 7,2’ € 1,1 #7, is the subset of incomparable(i, i’) comprised of 


the states in which, in the case of a claim overlap between the vehicles i and 2’, the 
vehicle ¢ must yield to the vehicle 7’. When the locations of the vehicles i and 7’ are 
not comparable, the vehicle 7 must yield to the vehicle 7’ if either only the vehicle 2’ 
owns the merge point, or the vehicle 7 is traveling on the left branch and neither or 


both vehicles own the merge point. 


yteld(i, i’), for i,i’ € 1,1 £ v’, is the subset of VALID comprised of the states in which, in 


the case of a claim overlap between the vehicles 7 and 2’, the vehicle 7 must yield to 


the vehicle 2’ in order to prevent a potential collision between the vehicles 7 and 7’. 


Since the above definitions only depend on the output variables of the MERGE-VEHICLES au- 


tomaton, we often use the above sets to classify states of the output state set Yiercr-ventcies: 


The following lemma describes some properties of the sets defined above. 


Lemma 7.2.1 For alli,i’ € T,i4 7, the following hold: 


be 


a7 fe wS & 


VALID = comparable(i, i’) U incomparable(i, ’’). 

comparable(i, i’) = yield-comparable(i, i’) U yield-comparable(i’, 1). 
yteld-comparable(i, t’) N yield-comparable(i’, i) = 0. 

incomparable(i, i’) = yield-incomparable(i, i’) U yield-incomparable(i’, 7). 


yield-incomparable(i, i’) M yield-incomparable(i’,i) = 0. 


Proof: We prove each of the conditions separately: 


1. 


This follows directly from the definition of comparable(i, i’) and incomparable(i, i’), for 
iveLis¢i. 


. For all i,’ € 1,7 4 wv, the sets yield-comparable(i, i’) and yield-comparable(i’, i) are 


both subsets of the set comparable(i,i’). Therefore, it suffices to show that any 
state p in the set comparable(i,i’), for some i,t’ € I,i # @, is either in the set 


yield-comparable(i, 2’), or in the set yield-comparable(i’, 7). 
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Table 7.1 Auxiliary sets for the MERGE-VEHICLES automaton. 


comparable(i, ) C VALID, for i, € 1,1 #7, defined by 


comparable(i, ’) = {p € VALID | (p...b = p.liv.b) V (p.l;.6 = out) V (p.lj.b = out)} 


incomparable(i, i’) C VALID, for i,’ € 1,1 # @, defined by 


incomparable(i, i’) = VALID — comparable(i, 7’) 


yteld-comparable(i, ) C comparable(i, i’), for i, € T,i #7, defined by 


yield-comparable(i, i’) = {p € comparable(i, 7’) | p.&; < p.lir} 


yteld-incomparable(i, i’) C incomparable(i, i’), for 7, € 1,1 #7, defined by 


yield-incomparable(i, i’) = {p € incomparable(i, i’) | ((out, 0) ¢ p.O; A (out, 0) € p.Oj") 
V ({out, 0) € p.O; A (out, 0) € p.Oy 
A p.l;.b = left) 
V ({out, 0) ¢ p.O; A (out, 0) Z p.Oy 
A p.l;.b = left)} 


yteld(i, i’) C VALID, for i, € 1,1 # @, defined by 


yield(i, i’) = yield-comparable(i, i’) U yield-incomparable(i, 7’) 


Let the state p be any state in comparable(i, 2’), for some i,’ € I,i # 2. Since 
comparable(i, 2") C VALID, it is the case that p € VALID. Therefore, the sections of 
the track occupied by the vehicles 7 and 7’ do not have a positive length closed interval 
overlap. It follows that it is not possible for their locations to coincide; that is, for any 
p € comparable(i, 2’), it is the case that p.l; # ply. Therefore, regarding the ordering 


of the locations of the vehicles 7 and 7’, there are only two viable cases: 


(a) pl; < pl. In this case, p € yield-comparable(i, i’). 
(b) p.ly < p.l;. In this case, p € yield-comparable(1’, i). 


_ If p € yield-comparable(i,?’) then it is the case that pl; < ply. It follows that 
p & yield-comparable(i’,i). Similarly, if p € yield-comparable(i’,i) then it is the case 
that ply < p.l;. It follows that p ¢ yield-comparable(i, i’). This suffices. 

. For all i,’ € 1,7 # wv, the sets yield-incomparable(t, 2’) and yield-incomparable(i’, 2) 


are both subsets of the set incomparable(i, 7’). Therefore, it suffices to show that any 
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state p in the set incomparable(i, 7’), for some i,t’ € I,i # ’, is either in the set 


yteld-incomparable(i, i’), or in the set yield-incomparable(i’, i). 


Let the state p be any state in incomparable(i, i’), for some 7, i’ € I, Z @’, and without 
loss of generality let the vehicle i be the vehicle traveling on the left incoming edge. 
Regarding the ownership of the merge point by each of the vehicles, there are four 


cases: 


(a) (out,0) € p.O; A (out,0) € p.Oy. In this case, p € yield-incomparable(i, i’) and 
p¢& yteld-incomparable(i’, ¢). 

(b) (out,0) ¢ p.O;A (out, 0) ¢ p.O. Similarly to above, p € yield-incomparable(2, i’) 
and p ¢ yield-incomparable(t’, i). 

(c) (out,0) ¢ p.O; A (out, 0) € p.Ow. In this case, p € yield-incomparable(i, i’) and 
p¢& yteld-incomparable(i’, ¢). 

(d) (out,0) € p.O; A (out,0) ¢ p.Ow. In this case, p ¢ yield-incomparable(i, i’) and 
p € yteld-incomparable(i’, ¢). 


5. This condition follows from the analysis in the proof of condition 4. 


7.3 Protection System MERGE-PROT-PAIR 4; j7 


Each MERGE-PROT-PAIRy; ;7} automaton, for i,t’ € T,1 4 w, is a vehicle-pair collision pro- 
tector and guarantees that the vehicles 7 and 7’ do not collide into each other, provided 
that all the vehicles are abiding by the speed limit and the vehicles of all other vehicle 
pairs do not collide between themselves. Each of the MERGE-PROT-PAIR,; ; protectors, for 
i,t’ € 1,i #4 7, is an implementation of the abstract protector of Section 3.2 specialized to 


particular definitions of the parameters PP, 5, Rk, G, j, and d. 


The physical plant automaton, PP, is defined to be the MERGE-VEHICLES automaton of 
Figure 7.1. The port 7 and the sampling period d are defined to be the port and sampling 
period with which the protector MERGE-PROT-PAIR,; ;, communicates with the MERGE- 
VEHICLES automaton. They are assumed arbitrary and are fixed for the rest of the chap- 
ter. The set of “good” states G is defined to be the set of states in which the vehicles ¢ 
and 7 have not collided into each other, 7.e., G = VALID — Preottided(i,i’) — Peottided(i! i)- 
In this chapter, we use the notation Gy; j, to denote the definition of G that is spe- 
cific to the MERGE-PROT-PAIRy; ;; protector. The set R is defined to be the set R = 
Prot-overspeed ( | (n i Lil Bi" {i ALY Gum): This definition restricts the states of 
the MERGE-VEHICLES automaton to states in which all the vehicles are abiding by the 


speed limit and in which the vehicles of all other vehicle pairs {7,7}, for 1”, 7” € [,i" # 
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vt" AF {i,v}, have not collided into each other. The set S' is defined to be the set 
safe as defined in Section 3.2.1; that is, the set of states of the PP automaton for which 
a single input action of PP on port 7 can guarantee that, provided no new input actions 
on port 7 are allowed, all subsequently R-reachable states will be in G. Once again, the 
definition of the set safe is specialized to the above definitions of the automaton PP, the 
sets & and G, and the port 7. In this chapter, we use the notation Ry; ; and S'r; ; to refer 
to the above definitions of the sets R and S. 


The MERGE-PROT-PAIR ¢; ; protector automaton is an implementation of the abstract pro- 
tector automaton Abs(MERGE-VEHICLES, Sy; in, Rein, Gouin, J,d). More precisely, as is the 
case for the abstract protector Abs;, we define the MERGE-PROT-PAIR{; ;, automaton to be 
the composition of a sensor and a discrete controller automaton. These automata are im- 
plementations of their abstract equivalents of Figures 3.2 and 3.3 specialized, however, to 
the above definitions of the parameters PP, S$, R, G, 7, and d. The sensor automaton is 
precisely the specialization of the sensor automaton of Figure 3.2 to the above definitions 


of the parameters PP, etc. The discrete controller automaton is defined in Figure 7.2. 


The braking strategy of the MERGE-PROT-PAIRg; ;, protector is as follows. The protector 
is allowed to brake the vehicles 7 and 2’ only if the sections of the track they claim in time d 
overlap. Given that the vehicles 7 and ?¢’ are indeed involved in such a claim overlap, there 
are two possible scenarios depending on whether the locations of the vehicles 7 and 7’ are 
comparable, or not. If their locations are comparable, then the vehicle 7 is instructed to 
brake if it trails the vehicle ¢’; otherwise, the vehicle 7’ is instructed to brake. On the other 
hand, if the vehicle locations are not comparable, the vehicle 7 is instructed to brake either 
if only the vehicle 7’ owns the merge point, or if both or neither vehicles own the merge 
point and the vehicle 7 is traveling on the left branch; otherwise, the vehicle 2’ is instructed 
to brake. In the latter case, we choose to brake the vehicle traveling on the left branch for 
no particular reason. In fact, it is plausible to brake either or both of the vehicles involved 
in the claim overlap. However, if both of the vehicles were instructed to brake, it would 
be possible to reach a bottleneck state — a state in which both of the incoming vehicles 
involved in the claim overlap are instructed to brake thereafter and, subsequently, none of 


the trailing incoming vehicles would be capable of proceeding. 


The braking strategy considers the case in which both the vehicles 7 and 7’ own the merge 
point. Although this situation is a valid state of the MERGE-VEHICLES automaton, in the 
following section it is shown that such states are excluded from the reachable state set 
of the composition of the MERGE-VEHICLES automaton and all the MERGE-PROT-PAIR 4; j74 
protectors, for i,7’ ¢ [,i 4 i. It is also important to note that, according to the braking 
strategy and provided that the sections of track owned by the vehicles i and 7’ are disjoint, 
if the locations of the vehicles i and 2’ are not comparable, then the section of the track 


owned by the vehicle to be braked is entirely upstream of the merge point. 
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Figure 7.2 Discrete controller automaton for the protector MERGE-PROT-PAIR 4g; 7. 


Actions: Input: e, the environment action (stuttering) 
snapshot(y);, for each valuation y of Yvpron-ventcies 
Output: protect(C’),;, for C € P({i,7’}) 
Variables: Internal: send; € P({i,7’}) U null, initially null 


Discrete Transitions: 


snapshot(y); 
Eff: if y ¢ disjoint-claimed-tracks(i, v’,d) then 
if y € yield(2, 2’) then 


send; := {i} 
else 
send; := {i'} 
else 
send; := 0) 
protect(C); 
Pre: send; = C 


Eff: send; := null 


Trajectories: 
w.send; = null 


It is important to note that the abstract protector automaton Abs( MERGE-VEHICLES, 54; i, 
Rein, Gin, J, 0 complies with the assumptions made about the abstract protector in Sec- 
tion 3.2.1. In particular, since the vehicle location variables, the vehicle velocity variables, 
and the collided variables are output variables of the MERGE-VEHICLES automaton, the set 
safe is Yyerce-vencias-determinable and actions that guarantee safety can be determined 
from the output variables of the MERGE-VEHICLES automaton (Axioms 3.2.4 and 3.2.5, 
respectively). Moreover, the sets Rein and Gian are Yvercr-venicres-determinable (Ax- 
ioms 3.2.6 and 3.2.7, respectively) and the set of start states Sy; j is a subset of the set 
safe (Axiom 3.2.8), since S; 3 is defined to be the set safe. 


In Section 3.1 it was shown that the abstract protector Abs; guarantees that the physical 
plant PP remains within G starting from S given R. Similarly, the MERGE-PROT-PAIR ¢; 34 
automaton guarantees that the MERGE-VEHICLES automaton remains within Gy; jy starting 


from $4; 4 given Ry; 34. This is shown in the following section. 
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7.4 Correctness of MERGE-PROT-PAIR4; jj 


The main result to be shown is that MERGE-PROT-PAIR 4; 7, < Abs(MERGE-VEHICLES, $4; 474, 
Rein, Guin,J,d. Since both MERGE-PROT-PAIR,; jy and Abs(MERGE-VEHICLES, $4; 7, 
Rein, Guin, J,@) involve the composition of the same sensor automaton with distinct dis- 
crete controller automata, Theorem 2.7.4 applies. Therefore, it suffices to show that the 
discrete controller automaton of the protector MERGE-PROT-PAIR¢; ;, of Figure 7.2 im- 
plements the discrete controller automaton DC(MERGE-VEHICLES, 95; in, Rein, Gein, J, 4) 
of Figure 3.3. From Theorem 2.6.1, this follows by showing that there exists a simu- 
lation relation between the states of the discrete controller automaton of the protector 
MERGE-PROT-PAIR,; ;7y and the discrete controller automaton DC(MERGE-VEHICLES, $4; 74, 
Rein, Ge ineds d). We first give some set definitions, then prove some lemmas, and finally 


show the existence of such a simulation relation. 


In this section, we use the notation future;; in, safer, iy, very-safes; 7, and delay-safes; in 
to denote the specialization of the function future, the sets safe and very-safe, and the 
function delay-safe, which are defined in Section 3.2.1, to the automaton MERGE-VEHICLES, 
the sets Ry; jy and Gy; jn, and the the port 7 of the MERGE-PROT-PAIRs; 7, protector. 
Moreover, since the environment action of the MERGE-VEHICLES automaton is stuttering, 


its consideration is omitted in all inductive proofs involving the PP automaton. 


We proceed by defining several sets that are used in the correctness proof of the protector 


MERGE-PROT-PAIR 4; jy. For reference, their formal definitions appear in Table 7.2. 


Let Wy; 7 be the subset of Ry; in AG; «7, comprised of the states in which the section of the 
track owned by the vehicle 7 does not overlap the section of track owned by the vehicle 7’; 


that is, Wen = Rein 0 GG uO disjoint-owned-tracks(i, 7’). 


Let V(;,:7) be the subset of Wy; ; comprised of the states in which the vehicle 7 is being 
instructed to brake by the protector 7 and either the locations of the vehicles 7 and 7’ are 
comparable and 1; < J;, i.e., the vehicle 7 is trailing the vehicle 7’, or the locations of the 
vehicles 7 and 7’ are incomparable and the section of the track owned by the vehicle 7 is 
entirely upstream of the merge point (out,0). Moreover, let Vs; 7 be defined as Vg; 7 = 
Vai UVa 

Let Ty; i (t), where t € R2°, be the subset of Rein 1 Gein comprised of the states in 
which the section of the track claimed in time ¢ by the vehicle 7 does not overlap the 
section of the track claimed in time t by the vehicle 2’; that is, Trin) = Rein A Ggen 


disjoint-claimed-tracks(i, v’, t). 


The following lemma defines the relation among the sets Gy; in, Wein, Vein, and Tryin (t), 
for t € R2°. 


Lemma 7.4.1 For all t,t’ € R2°, t < t', the following hold: 
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Table 7.2 Sets used in the correctness proof of MERGE-PROT-PAIR 4; jy. 


Wri in C VALID, for i,’ € T,i #7, defined by 


Wei = Rein AG 44 A disjoint-owned-tracks(i, 7’) 


Var) C VALID, for i,v’ € 1,1 #7, defined by 


Vai) = {p E Wein M Pp;; 


(p € comparable(i, i’) A p.ly < pli) 


V (p € incomparable(i, i’) A max(p.O;) < (out, 0))} 


Vii C VALID, for 7,1’ € 1,1 #7, defined by 


Yai = Vaan U Vara) 


Ty iy (t) C VALID, for i, € 1,747, andte R2°, defined by 


Tey (t) = Rein AG gs M disjoint-claimed-tracks(i, 7’, t) 


L Train) C Wein C Ggan. 
2. Vein C Wein Cc Guin. 

3. Teint!) © Ten (t). 

4. Tein 0) = Weary. 


Proof: Follow directly from the definitions of the sets Vijin, Wainy, and Ty, in (7), where 
tT € R2°, and Lemma 4.4.2. | 


In the following three lemmas, we show that any state Ry; ;,-reachable from a state in V(; ;7) 
through an execution fragment that involves no input actions on port 7, is in Wy; jy. In the 
first lemma, we show that if the final state of such an execution fragment is in Gy; 7, and the 
section of track owned by the vehicle 7 has not grown since the beginning of the execution 
fragment, then the final state of the execution fragment is in W,; 7. In the second lemma, 
we show that the final state of any such execution fragment is in Gy; ; and the section of 
track owned by the vehicle i does not grow throughout the execution fragment. Finally, the 


third lemma combines these two results and states formally the desired property. 


Lemma 7.4.2 Let p © Viiin and p’ € futures; in (p,R2°). Tf p! © Guin and p'.O; © p.0;, 
then p! € Wein 


Proof: We need to show that p’ € Wy; ;; that is, we need to show that the state p’ is in the 
set Ry; in NG in disjoint-owned-tracks(2, i’). By assumption, it is the case that p! € Gg 47. 
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Therefore, it remains to be shown that p’ € Rein and p’ € disjoint-owned-tracks(t, i’). We 


consider these two conditions by cases: 


1. p € Rein. 
This is the case because the function futures, i (p, R2°) only considers Rg; i-veachable 


states. 
2. p’ € disjoint-owned-tracks(i, i’). 


Since p € V(;,7, there are two possible cases: (i) p € comparable(i, i’) and p.l; < p.lir, 
and (ii) p € incomparable(t, 2’) and max(p.O;) < (out, 0). 

In the first case, it is as if the vehicle 7 is trailing the vehicle 2’ on a single track. Since 
P © Van C Wein, the sections of the track owned by the vehicles 7 and i’ in state 
pare disjoint. Since p € comparable(i, i’) and p.l; < p.ly, it follows that max(p.O;) < 
min(p.O;). Moreover, Lemma 4.4.2, part 2, implies that max(p.O;) < p.lj. Therefore, 
because of the non-negative constraint on the vehicle velocities and the assumption 


that p’.O; C p.O;, it follows that p’ € disjoint-owned-tracks( i, v’). 


In the second case, since max(p.O;) < (out,0), the section of the track owned by 
the vehicle 2 in state p is strictly within the incoming directed edge p.l;.e. Since 
p'.O; C p.O;, the same is true for the section of track owned by the vehicle 7 in 
state p’. Therefore, since the vehicle ¢’ is traveling on the adjacent incoming branch, 


it follows that p’ € disjoint-owned-tracks(t, 0’). 
a 


Lemma 7.4.3 [fp € Vij in and p! € futures; i (p,R2°), then p’ € Guin and p'.O; © p.O;. 


Proof: Let a be an execution fragment of the MERGE-VEHICLES automaton of n steps and 
trajectories, where n ¢ N, that: starts in a state in Vi; j, is only comprised of states in 
Ry; 47, and involves no input actions on port 7. Letting pinjt and pfinai be the initial and 
final states of a, respectively, we must show that Pfnai € Geir and Pfinal-Oi © Pinit-O;. The 


proof is by induction on the length n of the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and therefore, Pyinal = Pinit- 
From Lemma 7.4.1, part 2, and the fact that pint © Vin) C Vein, it follows that pfnai € 
Gian. Moreover, the fact that pfna-Oi C Pinit-O; is trivially true. 


The inductive step involves showing that if a is an execution fragment of length n = &+1, for 
some k € N, then pina € Guin and Pfnal-O; © Pinit-O;. Let a’ be the part of the execution 
fragment a comprised of the first & steps and trajectories. The induction hypothesis involves 


the assertion that if p/,,, and Primal are the initial and final states of a’, respectively, then 
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it is the case that pp.) € Grin and pe, g-Oi © Pinit-Oi. Moreover, from Lemma 7.4.2 it 
follows that Prnal € Wy; in. Since the final state of a is reached from the final state of a’ 
by a single step or trajectory, the inductive step involves the consideration of all possible 


steps and trajectories leading from Prinal tO Pfinal- 


In the case of a step, we consider all possible actions by cases: 


1. the actions protect(C),;, for C € P({i,i’}), are not enabled because a involves no 


input actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle 2 to zero and does not affect 


the collided(i, i’) and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prinal € Gy; 7. Therefore, since the 
brick-wall(i) action does not affect the collided(i,i’) and collided(i’, i) variables, it 
follows that Pinal © Gfj,i7- 


Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that Pfinal-ti < Pinal @i+ From Lemma 4.4.3, part 1, it follows that pfnaO; C PhnatOi- 
However, from the induction hypothesis it is the case that Pana Oi C pl. Oi. There- 
fore, since Pinit = Pinjt it follows that pfnal-O; C Pinit-Oj, as needed. 


3. the actions protect(C),, for C € P(I) and j’ € J,j’ # j, and brick-wall(i”), for 
w” € 1,t" F i, affect neither the velocity of the vehicle 7, nor the collided(i, i’) and 


collided(2’,7) variables. 


From the induction hypothesis, it is the case that Prnal € Gin. Therefore, since 
the actions protect(C),, for C € P(L) and j’ € J,j’ # j, and brick-wall(i”), for 
w” € 1,1” £1, do not affect the collided(i, i’) and collided(t’, i) variables, it follows that 
Pfinal © GE i. 

Moreover, since the input actions protect(C),, for C € P(1) and j’ € J,j’ # j, and 
the internal actions brick-wall(?”), for 7” € [,2” # i, do not affect the velocity of the 
vehicle 2, it is the case that pgnqi-®i = Pinal ti+ From Lemma 4.4.3, part 1, it follows 
that Pfinal-Oi C Plinal-Oi- However, from the induction hypothesis it is the case that 
Pina Oi C pti-O;. Therefore, since pinit = p’.,;,, it follows that pfnalO; C pinit-O;, as 
needed. 


4. the internal actions colliding-pair(i”,i’”), for i”,7” € I,i” # wv”, and the inter- 


yan 
t 


nal actions collision-effects(i’”), for i” € I, are not enabled because a is only 


comprised of states in Ry; jy and Prnal E Wein. 


Since Dinit € Voie) C Pp, and the execution fragment leading from p;nj¢ to Prinal involves no 
input actions on port 7, it follows that Prinal € Pp,,. Therefore, in the case of a trajectory 
from Prnal tO Pfinal, Lemma 4.4.4, part 1, implies that pfingLO; C Pinar Oi: However, from the 
induction hypothesis it is the case that Pina Oi C pt.it-O; Therefore, since pinjt = p'.,;15 it 
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follows that pfnal-Oi C Pinit-O;. Moreover, since Prnal € Gein and the variables collided(i, t’) 
and collided(i’,i) remain constant throughout the trajectory, it follows that pfnai € Gein, 
as needed. | 


Lemma 7.4.4 futures; in Vian, R2°) Cc Wein. 


Proof: Follows directly from Lemmas 7.4.2 and 7.4.3. | 


In the following lemma, we extend the result of Lemma 7.4.4 to the set Vj; i. 
Lemma 7.4.5 futures (Veer, R2°) CW in. 


Proof: Follows directly from Lemma 7.4.4 and the fact that Vj; 94 = V¢;,in U Vir: a 


In the following two lemmas, we use Lemma 7.4.5 to show that V¢; 34 C very-safes; jj and 


Ves any C delay-safes; »(t), for any t € R°, respectively. 
Lemma 7.4.6 Vou in Cc very-safes; jy. 


Proof: Follows directly from Lemma 7.4.5 and Lemma 7.4.1, part 1. | 


Lemma 7.4.7 For any t € R2°, it is the case that Vein © delay-safes; y(t). 


Proof: Follows directly from Lemma 7.4.6 and Lemma 3.2.5, part 1. | 


In the next three lemmas and the subsequent corollary, we show that the sets Wy; j and 
safes; 7 are equal. First, we show that any state that is Ry; ;4-reachable from a state p in 
W,, 7 through an execution fragment that involves no input actions on port j and has a 
limit time equal to zero, is in the set Wy; ;4. Then, we show that Wy; 34 C safes; jy and 
safer; in C Wein. Finally, the subsequent corollary states that Wy; 34 = safe; i. 


Lemma 7.4.8 futures, (Win, 0) C Wein. 


Proof: Let a be an execution fragment of the MERGE-VEHICLES automaton of n steps, 
where n € N, that: starts in a state in W,; jy, is only comprised of states in Ry; 4, involves 
no input actions on port 7, and has a limit time equal to zero. Let pjnig and Pfingi be the 
initial and final states of a, respectively. By induction on the length n of the execution 


fragment a, we show that pina € We; 74. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pyinal = Pinit- SINCE Pinit € Wein, 


it follows that Pfina € Wi. 
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The inductive step involves showing that if a is an execution fragment of length n = &+1, for 
some k €N, then pyinar € Wry. Let a’ be the part of the execution fragment a comprised 
of the first & steps. The induction hypothesis involves the assertion that if Primal is the final 
state of a’, then it is the case that Prinal € Wy; 74. Since the final state of a is reached from 
the final state of a’ by a single step, the inductive step involves the consideration of all 


possible steps leading from Prinal tO Pfinal: 


To complete the induction, we consider all possible discrete actions by cases: 


1. the actions protect(C);, for C € P({t,2’}), are not enabled because a involves no 


input actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle 7’, nor the collided(i, i’) and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prnal EWriin C Guin. There- 
fore, since the brick-wall(7) action does not affect the collided(2, 2’) and collided(1’, 1) 
variables, it follows that pyina € Gi i. 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-Li < Pinal @i+ Moreover, since the brick-wall(7) action does not affect the veloc- 
ity of the vehicle 7’, it is the case that pfnq)-ti = Pinal i From Lemma 4.4.3, part 1, 
it follows that pfina-Oi C Prinal-Oi and Pfinal-Ov C Prinat Oi Therefore, since Prinal € 
Wei C disjoint-owned-tracks(i, t’), it follows that pina € disjoint-owned-tracks(i, 7’). 
Finally, since all states in a are, by definition, restricted to the set Ry; ;, it follows 
that Pfnal © Wey. 

3. the brick-wall(7’) action sets the velocity of the vehicle 7’ to zero and affects neither 
the velocity of the vehicle 7, nor the collided(i, 7’) and collided(2’,i) variables. 


From the induction hypothesis, it is the case that Prinal EWrin © Gain. Therefore, 
since the brick-wall(i’) action does not affect the collided(i,i’) and collided(i’, 7) 
variables, it follows that pina € Gi i. 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Phinal& jr < Pinal til Moreover, since the brick-wall(z’) action does not affect the ve- 
locity of the vehicle 2, it is the case that pfingi-ti = Plinal¥i- From Lemma 4.4.3, part 1, 
it follows that pfinarOv C Pinar Oi! and pfinal-Oi C Pinar Oi: Therefore, since Prnal € 
W467 G disjoint-owned-tracks(i, ¢’), it follows that pfina € disjoint-owned-tracks(t, 1’). 
Finally, since all states in a are, by definition, restricted to the set Ry; jy, it follows 
that Pfnal © Wei. 

4. the actions protect(C),, for C € P(I) and 7’ € J,j’ # j, and brick-wall(i”), for 
w” € T—{i, 0}, affect neither the velocities of the vehicles ¢ and 7’, nor the collided(i, *’) 


and collided(2’,7) variables. 
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From the induction hypothesis, it is the case that Prnal EWrin CS Gin. Therefore, 
since the actions protect(C),, for C € P(L) and j’ € J,j’ # j, and brick-wall(?”), 
for i” € I— {i,7’}, do not affect the collided(i, 1’) and collided(i’,1) variables, it follows 
that Pfnal € Gian. 


Moreover, since the input actions protect(C’),, for C € P(1) and 7’ € J,j’ # J, and 
the internal actions brick-wall(i”), for i” € I — {i,i’}, do not affect the velocities 
of the vehicles i and 7, it is the case that pgngi.&; = Pinal i and Pfinal-ty = Pinal i 
From Lemma 4.4.3, part 1, it follows that pfna-O; C PrinatOi and Pfinal-O C PrinalOi'- 
Therefore, since Prnal € Wein, © disjoint-owned-tracks(i, ’), it is the case that pfinai € 
disjoint-owned-tracks(1, t’). 
Finally, since all states in a are, by definition, restricted to the set Ry; ;, it follows 
that Pfinal © Wein. 

5. the internal actions colliding-pair(i”,7’”), for 7,2” € I,i” # 2”, and the inter- 

sty 


nal actions collision-effects(i””), for 2” € I, are not enabled because a is only 


comprised of states in Ry; jn and Prinal EW i. 
a 


Lemma 7.4.9 Wy; in © safes; in. 


Proof: From the definition of safe in Section 3.2.1, we must show that any state p € Wz; in 
satisfies: (i) futures; y(p,0) C Gain, and (ii) there exists some input action 7 on port j 
such that for every p’,p" € Ry in satisfying p’ € futures; 7 (p,0) and p’ > p", it is the case 
that p” € very-safes; in. 


(i) Since p € Wg; i, the first condition follows from Lemma 7.4.8 and Lemma 7.4.1, part 1. 


(ii) For the second condition, let 7 be the action protect(C');, where C = {t}, if p € 
yield(z,z’), and C = {i}, otherwise. Without loss of generality, let p € yield(i,2’) and 
C = {i}. 

Throughout the execution fragment from p to p’, the actions colliding-pair(?”,7””), for 
voi” € 1,0" £0", and collision-effects(i’”), for i” € I, are not enabled. Therefore, 
since none of the other discrete actions of the MERGE-VEHICLES automaton can increase 
the velocities of the vehicles 7 and 7’, Lemma 4.4.3, part 1, implies that p’.O; C p.O; and 
p'.Oy © p.Ov. Moreover, since the protect({i}); action does not affect the velocity of 
the vehicle i, Lemma 4.4.3, part 1, implies that p’.O; C p.O;. Since p”.O; C p.O; and 
p€ yield(i, 2’), it is the case that in the state p” either the locations of the vehicles ¢ and 2’ 
are comparable and the vehicle 7 is trailing the vehicle 2’, or the locations of the vehicles 7 
and 7’ are not comparable and the section of track owned by the vehicle 7 is entirely upstream 


of the merge point (out, 0). 
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Moreover, considering the step from p’ to p’, the protect({i}); action affects neither the 
velocity of any of the vehicles, nor any of the collided variables. Therefore, since Lemma 7.4.8 
implies that p! € Wy; jy, it follows that p” € Ry, in and p” € Gy, jn. In addition, since the 
protect({i}); action does not affect the velocities of the vehicles i and i’, Lemma 4.4.3, 
part 1, implies that p’.O; C p’.O; and p".Oy C p'.Ov. Therefore, since p! € Wy in, it 
follows that p” € disjoint-owned-tracks(i, 7’). From the above conditions, it follows that 
Pp! eWay an. 

In addition, since the protect({7}); action sets the variable brake-req(i,j) to True, it is 


also the case that p” € Pp,,. 


Thus, since p” € Wy, in, p” € Pp,,, and either the locations of the vehicles 7 and ¢’ in the 


ag? 
state p” are comparable and the vehicle 7 is trailing the vehicle 2’, or the locations of the 
vehicles 7 and 7’ in the state p” are not comparable and the section of track owned by the 


vehicle ¢ is entirely upstream of the merge point (out, 0), it follows that p” € Vay © Ven. 


Finally, Lemma 7.4.6 implies that p” € very-safes; jy, as needed. | 


Lemma 7.4.10 For any p€ Rin, if p € safer; iy then p © We; in. 


Proof: We show the contrapositive; that is, for any p € Ry in, ifp ¢ Wain then p ¢ 
safer in. Since Wy in = Ryan A Gen O disjoint-owned-tracks(i, 7’) and p € Ry in, we 
consider the conditions p ¢ Gy; jy and p ¢ disjoint-owned-tracks(i, i’) separately. 


From Lemma 3.2.4, part 1, it is the case that safes; 7, C Gr; in. Since p ¢ Gig jn, it 
follows that p ¢ safe,; jn. 


2. p ¢ disjoint-owned-tracks( i, i’). 

We must show that p ¢ safes; ,. In order for the state p € Ry; 3 to be in the 
set safey;; there must exist some input action 7 on port j such that for every 
p',p" © Re an satisfying p! € futures; 7 (p,0) and p'—> p”, it is the case that p” € 
very-safes; jj. Therefore, it suffices to show that for any input action 7 on port j, 
there exist p',p” € Rein satisfying p’ € future;; i(p,0) and p'—+ p”, such that 
p" € very-safes; iy. 

Without loss of generality, suppose that the vehicles 7 and 2’ are traveling on adjacent 


branches in the state p, i.e., p € incomparable(t, 7’), and let 7 = protect({?, 2’});. 


Since Lemma 3.2.1, part 3, implies that p € futures i (p, 0), consider the case where 
p' = p. Since p’ = p and the input action protect({i,i’}); affects neither the lo- 
cation, nor the velocity of the vehicles 2 and 7’, it follows that p”.l; = p’.l; = p.l;, 


p 2; = pia; = paz, ply = ply = ply, and pay = play = pay. Therefore, 
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since the section of track owned by any vehicle depends only on its location and 
its velocity, it is the case that p’.O; = p’.O; = p.O; and p’.Oy = p’.Oy = p.O. 
Therefore, since p ¢ disjoint-owned-tracks(i, 1’), p".O; = p.O;, and p".Oy = p.O;, 
it follows that p” ¢ disjoint-owned-tracks(i, i’). Moreover, since the vehicles i and 
/ 


i’ are traveling on adjacent branches in state p, p”.l; = p.l;, p’ dy = ply, and 


p" € disjoint-owned-tracks(i, i’), it follows that (out,0) € p”.O; and (out,0) € p”.O;. 


Again, without loss of generality, suppose that the vehicle 7’ is the first of the vehicles 7 
and i’ to reach the merge point (out, 0) and that the vehicles i and 7’ have not collided 
up until the point in time when the vehicle ¢’ reaches the merge point. Moreover, 
consider the evolution of the MERGE-VEHICLES automaton following the state p” in 
which a brick-wall(7’) action is executed at the exact instant in time when the 
location of the vehicle i’ equals the merge point (out,0) and the vehicles 7 and #’ 
move forward and remain stationary thereafter, respectively. Since (out,0) € p”.O;, 
it follows that at some state of such an evolution the action colliding-pair(?, 7’) is 
enabled and, subsequently, executed. The state of the MERGE-VEHICLES automaton 
following the execution of the action colliding-pair(?, 2’) would, therefore, not be 
in Gg; 4. It follows that p” ¢ very-safes; 7 which implies that p ¢ safes; jy. 

Using similar analyses, it can be shown that for any p € Ry; 34 and any input action 
7 on port 7, there exist p’,p” € Rein satisfying p’ € future; (p,0) and p! +> p", 
such that p” ¢ very-safe,; jn. It follows that p ¢ safes; jy, as needed. 


Corollary 7.4.11 W¢; in = safe;; i. 


Proof: Follows directly from Lemmas 7.4.9 and 7.4.10. | 


In the next few lemmas, we show that any state p in the set Ty; ;(¢), for any ¢ € R2°, is 
in the set delay-safes; w(t); that is, any state Ry; ;y-reachable from p within an amount of 
time ¢ through an execution fragment that involves no input actions on port 7, is in the set 
Gin and any state Ry; ;-reachable from the state pin exactly an amount of time ¢ through 


an execution fragment that involves no input actions on port 7, is in the set safe,; jy. 


Lemma 7.4.12 Let p € T4; 4(), where tT € R°, and p! € futures; i (p,t), where t € [0,7]. 
[fp € Guin, piCilr —t) Cp.Cir), and p'.Cu(t — t) C p.Cy(r), then p! € Ty in(t — t). 


Proof: We need to show that p’ € Rein Gg in A disjoint-claimed-tracks(1, i',7 —t). Since 


p’ € Gz; jy, it remains to be shown that p’ € Ry; yn and p! € disjoint-claimed-tracks(i, 1’, 7 — 


t). We consider these two conditions by cases: 
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1. p € Rein. 
This is the case because the function futures; (pt) only considers Ry; ;-reachable 


states. 
2. p’ € disjoint-claimed-tracks(i, i’, 7 — t). 


Since p € disjoint-claimed-tracks(i,i’,r), p'.Ci(r — t) C p.Ci(r), and p’.Cy(r — t) C 
p.C(7), it follows that p’ € disjoint-claimed-tracks(i, i’, 7 — t), as needed. 


Lemma 7.4.13 For all p € Ty in(7), where rt € R2°, and p' € futures; (p,t), where 
t € [0,7], a is the case that p' € Guin, p.Cilt —t) C p.Ci(r), and p'.Cyu(r — t) C p.Cy(7). 


Proof: Let rT € R2° and a be an execution fragment of the MERGE-VEHICLES automaton of 
n steps and trajectories, where n € N, that: starts in a state in 7; ;(7), is only comprised 
of states in Ry; ;4, involves no input actions on port 7, and has a limit time ¢ that lies in 
the interval [0,7]. Letting pin and pfna be the initial and final states of a, respectively, we 
must show that pfinal © G4ii, Pfinal-Ci(T —t) © pini-Ci(7), and Pfnal-Cu(7 —-t) © Pinit-Ci(7). 


The proof is by induction on the length n of the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfnal = Pinit 
and a.ltime = 0, i.e.,t = 0. From Lemma 7.4.1, part 1, and the fact that pin € Tg i (7), it 
follows that pynal € Gain. Moreover, since t = 0, the conditions pfnal-Ci(T —t) © Pinit-Ci(T) 
and Pfnal-Ci(T — t) C Pinit-Cy(7) are trivially true. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, with a.ltime = t, where t € [0,7], then Pfnal © Giin, Pfina-Ci(t — t) C 
Pinit-Ci(T), and Pfinal-Cy(7 — t) C pinit-Cy(7). Let a’ be the part of the execution fragment 
a comprised of the first & steps and trajectories and let a’.ltime = t’, where t' € [0,1]. The 
induction hypothesis involves the assertion that if pj,;, and p};,q) are the initial and final 
states of a’, respectively, then it is the case that pen.) © Geiss PfinarCilT —U) © Pini Cil7), 
and PrngrCi(T — t') © Dinit-Ci(7). Moreover, from Lemma 7.4.12 it follows that py; € 
Tan (t — t'). Since the final state of a is reached from the final state of a’ by a single 
step or trajectory, the inductive step involves the consideration of all possible steps and 


trajectories leading from Prinal tO Pfinal- 


In the case of a step, keeping in mind that the limit times of a’ and a are equal, i.e., t/ = t, 


we consider all possible actions by cases: 


1. the actions protect(C),;, for C € P({i,i’}), are not enabled because a involves no 


input actions on port 7. 
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2. the brick-wall(7) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle 7’, nor the collided(i, i’) and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prnal € Gy; in. Therefore, since the 
brick-wall(i) action does not affect the collided(i, i’) and collided(i’,i) variables, it 
follows that pfinal © G4j,i7- 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-Li < Pinal @i+ Moreover, since the brick-wal1(7) action does not affect the veloc- 
ity of the vehicle 7’, it is the case that pfnq)-ti = Pinal i From Lemma 4.4.3, part 2, 
it follows that pfnal-Ci(7 — t) C PlinatCilT —t') and pfinat-Cu(t —t) © Plinat'Cil(T —t'). 
However, from the induction hypothesis we have pf, .-Ci(t — t') © Pini Ci(7) and 
Plinal'Cil(T —t') C pi .Ci(7). Therefore, since pinit = Pini 1t follows that pfnal-Ci(T — 
t) © pinit-C (7) and pénalCy(7 — t) C pinst-Ci(7), as needed. 


3. the brick-wall(7’) action sets the velocity of the vehicle 7’ to zero and affects neither 
the velocity of the vehicle 7, nor the collided(i, i’) and collided(i’, i) variables. 


From the induction hypothesis, it is the case that Prnal € Gy; in. Therefore, since the 
brick-wall(7’) action does not affect the collided(i, i’) and collided(i’,7) variables, it 
follows that pfnai € Gin. 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinaltit < Plinalti'- Moreover, since the brick-wall(?’) action does not affect the ve- 
locity of the vehicle 2, it is the case that pfingi-ti = Pinal ti+ From Lemma 4.4.3, part 2, 
it follows that pfnal-Ci(7 — t) C PlinatCilT —t') and Pfinal-Ci(T —t) C Plinal'Cil(T —t'). 
However, from the induction hypothesis we have pf, .-Ci(t — t') © Pini-Ci(T) and 
PhnatCilT —U) © Pinit-Ci(7). Therefore, since pinit = Pinit it follows that pfina-Ci(T — 
t) C pinit-C (7) and pénaleCy(T — t) C pinst-Ci(7), as needed. 

4. the actions protect(C),, for C € P(L) and 7’ € J,j’ # j, and brick-wall(2”), for 


w” € T—{i, 0}, affect neither the velocities of the vehicles ¢ and 7’, nor the collided(i, *’) 


and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prnal € Gin. Therefore, since 
the actions protect(C),, for C € P(L) and j’ € J,j’ # j, and brick-wall(i”), for 
” € IT {i,v’}, do not affect the collided(i,i’) and collided(t’,i) variables, it follows 
that Pfnal € Gian. 

Moreover, since the input actions protect(C’),, for C € P(1) and 7’ € J,j’ # J, and 
the internal actions brick-wall(i”), for i” € I — {i,2’}, do not affect the velocities 
of the vehicles i and 7, it is the case that pgngi.&; = Pinal i and Pfinal-ti = Plinal il: 
From Lemma 4.4.3, part 2, it follows that pgng-Ci(7 — t) C Pinar CilT — t') and 
PhinalCy(T — t) C PinatCi(T — t'). However, from the induction hypothesis we have 
PhnatcilT —U) C pipe Ci(T) and PinarcCi (7 — ©) C piipeCi(7). Therefore, since pinit = 
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Denis it follows that pfnat-Ci(t — t) C pinit-Ci(7) and pfinat-Cu(t — t) C pinit-Cy(T), as 
needed. 
5. the internal actions colliding-pair(i”,7’”), for 7,2” € I,i” # 2”, and the inter- 
iy 


nal actions collision-effects(i’”), for i” € I, are not enabled because a is only 


comprised of states in Ry; jy and Prnal ET an(t — t’). 


In the case of a trajectory, Lemma 4.4.4, part 2, applies and it follows that pfna-Ci(t —t) C 
PhnarCilT—€) and pfinal-Ci(T—-t) C PhnarCi(T—€). However, from the induction hypothesis 
it is the case that py, Cit —t) C DinieCi(T) and pe, gilt —U) C pinip-Ci(7). Therefore, 
since Pinit = DP’. it follows that pgna-Ci(T—t) C pinit-Ci(7) and Pfinal-Cu(T—-t) C pinit-Ci(7). 
Moreover, since Prinal € Gg in and the collided(i,i’) and collided(i’,i) variables remain 


constant throughout the trajectory, it follows that pina € G47), as needed. | 
Lemma 7.4.14 For r € R2° and t € [0,7], it is the case that futures, n(Th,in(7),t) C 
Tan (7 _ t). 


Proof: Follows directly from Lemmas 7.4.12 and 7.4.13. | 


Corollary 7.4.15 For any t € R2°, it is the case that futures; in (Pein), 9) S Tran (). 


Proof: Follows directly from Lemma 7.4.14. | 


Lemma 7.4.16 For any t € R2°, it is the case that Tin (t) C delay-safes; i (t). 
Proof: From the definition of delay-safe in Section 3.2.1, we must show that: 


1. futures (Tein, (0, t]) Cc Guin, and 
2. futureg in (Tein (t), 0) C safes; in. 


The first condition follows directly from Lemma 7.4.14 and Lemma 7.4.1, part 1. More- 
over, Lemma 7.4.14 and Lemma 7.4.1, part 4, imply that futures (Trin (0) C Ween. 


Therefore, the second condition follows from Lemma 7.4.9. | 


In the following lemma, we show that the MERGE-PROT-PAIR,; ; protector implements the 
Abs(MERGE-VEHICLES, Sy; 4, Rein, @ein,J,@) protector. Since the protector automata 
MERGE-PROT-PAIR 4; ;, and Abs; involve the composition of the same sensor automaton 
with distinct controller automata, it suffices to show that the discrete controller automa- 
ton of the protector MERGE-PROT-PAIR¢; ; implements the discrete controller automaton 
DC(MERGE-VEHICLES, Sy in, Rain, Gan, J, d)- 
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Lemma 7.4.17 MERGE-PROT-PAIR 4; 37) < Abs( MERGE-VEHICLES, S47, Rein, Gein, J @)- 


Proof: Both the MERGE-PROT-PAIR,; 7 and the Abs; protectors involve the composition 
of the same sensor automaton with distinct controller automata. From Theorem 2.7.4, 
it suffices to show that the discrete controller automaton of MERGE-PROT-PAIR 4; j im- 
plements DC';. This is shown by a simulation from the discrete controller automaton of 


MERGE-PROT-PAIR ¢; j7} to DC). 


The mapping between the states of the discrete controller automaton of the protector 
MERGE-PROT-PAIR 4; ;, and DC’; is almost the identity. In the discrete controller automaton 
of MERGE-PROT-PAIR 4; 77, the variable send; is equal to either a member of P({%, 2’}), or the 
value null. In DC, these valuations simply map to either the actions protect(C);, where 
C is the member of P({i, i’}) that corresponds to the valuation of the variable send; of the 


discrete controller automaton of MERGE-PROT-PAIRy; ;}, or the value null, respectively. 


The start states for the discrete controller automaton of MERGE-PROT-PAIR 4; 7; and DC; 
are the states in which send; = null. These are related to each other according to the 


mapping discussed above. 


Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the MERGE-VEHICLES automaton that 
corresponds to the output state y, 7.e., p © VALID and p| Yuerce-veuicies = Y- 


1. The snapshot(y); action of the implementation sets send; to an element of P({?,2’}). 
In order to show that the behavior of the implementation is allowed by the specifica- 
tion, we must show that the input action snapshot(y); of the implementation sets the 
value of the send; variable in such a way that the subsequently enabled action 7 of the 
implementation (i) guarantees that for all p',p” € Ry; 7 such that p’ € futures; 4 (p, 0) 
and p! + p”, it is the case that p” € delay-safe,; i (d), if p € safes; i, and (ii) is an 


arbitrary output action of the implementation, otherwise. 


First, consider the case in which p € safe,; jy. Since Corollary 7.4.11 implies that p € 
Wy; 74, the discrete controller automaton of MERGE-PROT-PAIRs; jy sets the variable 


send; according to whether the state p is in Ty; ;(d), or not. 


On one hand, if p ¢ Ty; 4(d) then the discrete controller automaton of the pro- 
tector MERGE-PROT-PAIR¢; 7, sets the variable send; to either {i}, or {t’} accord- 
ing to the strategy described in Section 7.3. Therefore, the snapshot(y); action 
enables either the protect({i}); action, or the protect({i’}); action. Since p € 
Wy, Lemma 7.4.8 implies that p’ € Wy, i. Moreover, since the protect({i}); 
and protect({?’}); actions affect neither the velocity of any of the vehicles, nor any 


of the collided variables, it follows that p” € Ryn, pY € Gain, pti = pla, 
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and p”.t; = p’.ay. Therefore, since p’ € Wy, i, Lemma 4.4.3, part 1, implies 
that p” € disjoint-owned-tracks(i, i’). From the above conditions, it follows that 
p" € Wain. Moreover, since the protect({i}); and protect({2’}); actions set 
the brake-req(t,j) and brake-req(i’, 7) variables, respectively, to True, it follows that 
p’ € Vgin. Finally, Lemma 7.4.7 implies that p” € delay-safe,; ;(d), as needed. 


On the other hand, if p € 7; ;4(d) then the discrete controller automaton of the pro- 
tector MERGE-PROT-PAIR 4; ;7, sets the variable send; to 0 and the protect(Q); action 
is enabled. Since p € Ty; (d), Corollary 7.4.15 implies that p’ € Ty; »(d). Moreover, 
since the protect(Q); action affects neither the velocity of any of the vehicles, nor 
any of the collided variables, it follows that p” € Ry in, p” € Guin, p&i = pki, 
and p" ty = p’.ay. Therefore, since p’ € Ty; (d), Lemma 4.4.3, part 2, implies 
that p” € disjoint-claimed-tracks(i, i’, d). From the above conditions, it follows that 


p" € Tn (d). Finally, Lemma 7.4.16 implies that p” € delay-safes; ;,(d), as needed. 


Next, consider the case in which p ¢ safes; 7. In this case, the snapshot(y); action 
of the discrete controller automaton of MERGE-PROT-PAIR 4; j sets the variable send; 
to either {i}, {¢’}, or @ and, subsequently, enables either the protect({i}); action, 
the protect({i’}); action, or the protect(@); action, respectively. However, when 
pe€ safes; 7, the DC; automaton sets the variable send; arbitrarily and, subsequently, 
enables an arbitrary output action. Therefore, the behavior of the discrete controller 
automaton of the protector MERGE-PROT-PAIRy; ;} is allowed by that of the DC; 


automaton. 


Therefore, the effects of the snapshot(y); action of the implementation are allowed 


by its specification. 


2. The protect(C); actions, for C € P({i,7’}), have identical effects in both discrete 
controller automata. When the send; variable matches either the set C’, or the 
protect(C); action, respectively, the action protect(C’); is executed and the send; 


variable is set to nullin both discrete controller automata. 


3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
MERGE-PROT-PAIR 4; ;, and the DC; automaton prior to and succeeding the execu- 


tion of the environment action remains the same. 


Corollary 7.4.18 The protector MERGE-PROT-PAIRY; ;} guarantees that the automaton 
MERGE-VEHICLES remains within Gy; jn starting from S¥; 3 given Ry; jn. 


Proof: Follows directly from Lemma 7.4.17 and Theorem 3.2.9. | 
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Table 7.3 Formal definitions of MERGE-PROT, Gyprap-prot; Smerce-prot, ald Ryprap-pror: 


MERGE-PROT = II MERGE-PROT-PAIR g; j7y 
ii! € Lagi! 


Gyiprce-PRoT = () Guin 
ial e Lisi! 


Serce-Prot = () S66 
ial € Lisi! 


RyrercE-PRoT = Prot-overspeed 


7.5 Protection System MERGE-PROT 


We now define the collision protector MERGE-PROT. While considering the automaton 
MERGE-PROT, we restrict the states of the MERGE-VEHICLES automaton to Prot-overspeed aS 
defined in Section 4.2, t.€., Rusrcr-pror = Prnot-overspeed- Let Guerce-prot ald S\erce-prot 
be the intersection of Gy; jn and Sy; 34, for all {i,t}, where 7,7’ € I,i # 7’, respec 
tively, and MERGE-PROT be the composition of MERGE-PROT-PAIR{; jy, for all {7, ¢’}, where 
i, E€ L,i # wv. The protector MERGE-PROT guarantees that MERGE-VEHICLES remains 
within Gyercepror Starting from Syerce-pror given Ryerqeprot- For reference, the for- 
mal definitions of the MERGE-PROT automaton and the sets Gyercr-prot; Suercr-prot, and 


Ryuprap-prot are shown in Table 7.3. 


Lemma 7.5.1 The protector MERGE-PROT guarantees that the MERGE-VEHICLES automa- 


ton remains within Gyercnpror from Svercs-pror gven Ryprap-prov- 


In the following proof, we show that all the states of an execution of PP x MERGE-PROT 
starting from S\ercepror given Ryprappror are in Gyercs-pror- This is done by applying 


Theorem 3.1.8 and showing that the second condition of the theorem does not hold. 


Proof: Let a be any execution of the system PP x MERGE-PROT starting from a state in 


Swercr-prot and in which all states are in Rypropr-pror: 


From Theorem 3.1.8, one of the following holds: 


1. Every state in @ is in Gyercr-prot = [) ii! © Liki! Gin. 


2. a can be written as a, ~ a2, where 
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(a) All state occurrences in a, except possibly the last state occurrence are in the 
set Gurrce-pror = [) ial € Lisi! Gi} 

b) If the last state occurrence in a; is in Gr; ;n, for some 7,7’ € IT,7 # 2’, then there 

{iil} ’ ’ ’ 

exists t,t” € Fi," A ft" F {2,7}, such that the last state occurrence in 
Q1 is in Gein gry. 

c) All state occurrences in ag except possibly the first state occurrence are in the 

pt p y 

set 1) gn yen past(G gv jr, a), for some N C {{i, 7} |i, € 1,7 £ wv}, where 
|N| > 2. 


We proceed by showing that it is not possible to decompose a as a, ~ a2 while satisfying 


the three aforementioned conditions. 


The violation of Niet nigeit Gy; 44 can only occur through the violation of at least one 
of the conditions Gy; ;,, where i,t’ € I,i # wv. Moreover, each of these conditions are 
violated only through the execution of a colliding-pair action. Without loss of generality, 
suppose that the first condition that is violated in a is the condition Gy; jn, for some 
i,v’ € T,i Aw, and that such a violation has resulted through a colliding-pair(?, 7’) 
action. Let pand p’ be the states of the MERGE-VEHICLES automaton prior to and succeeding 
this colliding-pair(i,i’) action, i.e., p,p’ © Ruerappror such that p—+ p’, where 7 = 
colliding-pair(i,i’). Since the colliding-pair(i, i’) action only sets the collided(i, i’) 
variable to True, it follows that p’ € Grin (MN ia | Lagi La etiany Gin in )- Now, 


we attempt to decompose a as ay ~ ag: 


1. Suppose we split a at any state preceding the state p. Then the state p is in 
a2. Since p’ is the first state in which one of the conditions Gigi jn, for i”, i" € 
I,i” 4 wv", is violated, it is the case that p € A ii © rangi Gain guy and there 
does not exist N C {{i",e™} | 4 i” © FT," A wv} such that |N| > 2 and p € 
‘a fi EN past(G yn j,a). Therefore, the third condition is violated and this de- 
composition of a@ is not valid. 

2. Suppose we split a at the state p. Then the state p’ is in ag. Since p’ is the first 
state in which one of the conditions Ggjv juny, for 2,7” € T,2” 4 2”, is violated and 
since the state p is in Gian ‘a (n Ua © Tat ei La" ALG a} Gann), it follows that 
there does not exist N C {{27, 0} | i”,a” © T,t” A w”} such that |N| > 2 and 
pet) {i} EN past(G gin jn, a). Therefore, the third condition is violated and this 
decomposition of @ is not valid. 

3. Suppose we split a at the state p’. Then p’ is the last state of a, and the first state 
of QQ. However, p io Gian ‘a (n wg E Litho fi" ALi} Gu) . Therefore, the 
second condition is violated and this decomposition of @ is not valid. 

4. Suppose we split a at any state succeeding p’. Then the state p’ is in ay. Since 


pf E Gian ‘a (n Wil © Lit Zi! LA" ALi} Ginn), it follows that the state p is not 
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in the set () jv jm Liteim Gri yy. Therefore, the first condition is violated and this 


decomposition of @ is not valid. 


Therefore, the execution a cannot be decomposed into any such a, and ag. It follows that 
the first clause of Theorem 3.1.8 must hold; that is, every state in @ is in Gyprap-pror- This 
implies that the protector MERGE-PROT guarantees Gyercr-pror in the MERGE-VEHICLES 


automaton starting from S\yerce-prot given Ryprcs-prot- | 
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Chapter 8 


Example 4: 
Collision Avoidance on a General 
Graph of ‘Tracks 


In this chapter, we consider a general track topology involving binary merges and diverges. 
We first augment the model of the PRT 2000™ to involve a track topology consisting of 
multiple branches interconnected by Y-shaped merges and diverges — the new model is 
referred to as the GRAPH-VEHICLES automaton. Then we define the protector GRAPH-PROT 
that guarantees that none of the vehicles of the GRAPH-VEHICLES automaton collide, assum- 
ing that they are all abiding by the speed limit. The GRAPH-PROT protector is defined as the 
composition of n(n—1)/2 separate copies of another protector called GRAPH-PROT-PAIR 4; jy, 
one copy for each unordered pair {i,?’} of vehicles of the GRAPH-VEHICLES automaton, for 
i,7 € 1,714. Each of these GRAPH-PROT-PAIR¢; ;, protectors, for 7,2’ € T,7 4 v’, is an im- 
plementation of a particular instantiation of the abstract protector automaton of Section 3.2 


and guarantees that the vehicles 7 and ¢’ do not collide into each other. 


8.1 Augmented Physical Plant: GRAPH-VEHICLES 


In this section we augment the model for the system of n vehicles to involve a track topology 
involving binary merges and diverges. This is done by extending the definition of the 
location of a vehicle to support a graph of tracks and by introducing an additional internal 
discrete action which is used to update the location variables of the vehicles as they cross 


the junction points in the track topology. 


The track topology is represented by a directed graph G = (V, FE), where V and F denote 
the sets of vertices and edges of the graph G, respectively. The vertices and edges of the 
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eraph G correspond, respectively, to the junctions and branches of the track topology. Any 
edge e of the graph G is specified by an ordered pair of vertices that denote the initial and 
the final vertices of the directed edge e, t.€., € = (init, Ufinal). We use the notation e.vjnit 
and €.Vfnqi to denote the initial and final vertices of the edge e, respectively. The function 
length : E — R2° maps an edge to its length. Moreover, the functions in(v), out(v), and 
e(v) map the vertex v of the graph G to its sets of incoming edges, outgoing edges, and 
both incoming and outgoing edges, respectively; that is, in: V — P(E), out: V — P(E), 
ande:V — P(E), with e(v) = in(v) U out(v), for all vu EV. 


The graph G, as defined above, is assumed to satisfy the following conditions: 


e All the edges of the graph G are of sufficient length to rule out collisions among vehicles 
that are neither on identical, nor on contiguous edges; that is, if das is the maximum 
sampling period of all the protectors under consideration, the length of each edge 
in the graph G is greater than Atma: = Cmardmar — € ax /2€brake — the maximum 
distance a vehicle can travel if left free for dja, time units and instructed to brake 
thereafter, under the assumption that the vehicle does not collide and is abiding by the 
speed limit. This restriction rules out the possibility of a vehicle having a dma, time 


unit claim overlap with a vehicle that is more than one edge upstream or downstream. 


e All the merges and diverges of the graph G are Y-shaped; that is, for each vertex v 
in the graph G, it is the case that (|in()|, |out(w)|) € {(1, 1), (2,1), 1, 2)}. 


e All cycles must contain at least three edges. This condition ensures that the ordering 


of the locations of vehicles traveling on successive branches of the track topology is 


well defined. 


Any point on the graph G is represented by a pair consisting of the directed edge of the 
eraph G and the distance of the particular point from the initial vertex of the directed edge. 


The formal definition of the set L of locations is as follows: 
L={(e,r)|e€ FE and z € (0, length(e)]} 


The set of locations is constrained by the length of the edges of the graph G; that is, for 
le Land l= (e,2), it is the case that x € [0, length(e)]. We use the notation l.e and l.x 
to denote the edge and position components of the location /, respectively. It is important 
to note that, in this representation scheme, the vertices of the graph G have non-unique 
representations; that is, for all edges e,e’ € FE, with e.vgnai = €'.Vinit, it is the case that 
the location | = (e, length(e)) is identical to the location I’ = (e’,0). Finally, two locations 
in L are comparable if they are locations either on identical, or on successive edges, #.e., 
the locations [,l’ € L are comparable only if either le = U’.e, or Le.vgng = U-e.vinit OF 


i 
L.e.Vinit = U€.Vfinal- 
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Addition of a non-negative scalar y to a location | € L, where / = (e, x), maps the location 
i to the set of locations that can be reached from the location / by traveling a distance 
y downstream. The set (e,2) + y always exists and is defined to be either the singleton 
{(e,a + y)}, if e+ y < length(e), or the set U - € out(e.rfnat) ((e,0) + (a + y — length(e))), 
otherwise. This definition handles the cases in which the locations (e,2) + y extend past a 


single split or merge, or even multiple splits and/or merges in the track topology. 


It is important to note that addition of a location | with a non-negative scalar that is 
bounded by the minimum distance from the location / to the closest second junction down- 
stream results in a set of locations in which each location l’ is comparable to the loca- 
tion | and satisfies the inequality / < I’; that is, for all 1 € L, where | = (e,x), and 
y € [0, length(e) — & + Min. € out(evpya) length(e)], the location | is comparable to all loca- 
tions in 1 + y and, moreover, / < U’, for all l’ € 1+ y. In particular, since the length of each 
edge of the graph G is assumed to be greater than Ago, addition of a location / with 
a non-negative scalar y < Agma, results in a set of locations in which each location I’ is 


comparable to the location / and satisfies the inequality | < I’. 


A closed interval in FZ is specified with an ordered pair of comparable locations and contains 
all locations between them, e.g., [(€1,21), (€2,%2)]. The partial ordering on comparable 
locations in L is as follows: (e1,21) < (€2,%2) if and only if either 7 < x2 and e1 = eg, or 


€1-Vfinal = €2-Vinit- 


Due to the fact that the extent of a vehicle may extend beyond a split in the track topology, 
we redefine the notion of the section of the track occupied by a particular vehicle as the 
union of the intervals extending from the current position of the vehicle to a point on the 
track that is a distance cj-, downstream; that is, the extent of a vehicle 7 € J is the set 
Fe = Ur etrcren [ir lil: 

In view of breaking the right-of-way symmetry when vehicles approach a merge in the track 
topology, we must define a prioritization scheme. In Chapter 7, the prioritization was based 
on the configuration of the merge; namely, the vehicle traveling on the right branch of the 
merge had priority over a vehicle traveling on the left branch. In the case of the graph 
of tracks, the notion of either left, or right is not well defined. Therefore, we associate 
a unique priority index to each edge of the graph and give priority to vehicles traveling on 
the edge whose priority index is greater. Let the function priority be an injection from the 
set of edges F of the graph G, to the set of natural numbers N; that is, priority: F — N, 
where for any e,e’ € E,e # e’, it is the case that priority(e) £ priority(e’). 


The new model of the physical system, called GRAPH-VEHICLES, is presented in Figure 8.1. 
The GRAPH-VEHICLES automaton is the result of augmenting the MERGE-VEHICLES automa- 
ton of Chapter 7 so as to involve a general track topology consisting of Y-shaped merges and 
diverges. Each of the reset-location(7) actions, for 7 € J, is enabled when the vehicle i 


has reached the final point of the directed edge on which it is traveling, 7.e., the vehicle 2 
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Figure 8.1 The GRAPH-VEHICLES automaton. 


Actions: 


Input: 
e, the environment action (stuttering) 


protect(C);, for all CE PU), j € J 


Internal: 
colliding-pair(i, 2’), for all 2,7’ € T,i' #2 
collision-effects(2), for alli Ef 
brick-wall(z), for alli ef 
reset-location(2), for all i ef 


Discrete Transitions: 


protect(C), 
Eff: for allz eC 

brake-req(t, 9) := True 

if mbrake(2) then 
brake(i) := True 
if z; =0 then 7%; :=0 

else 2%; := Chrake 
for allie J-—C 

brake-req(t, 7) := False 

if brake(t) A(A Vi es brake-reqi, k)) then 
brake(2) := False 


Ey rE [Cmin, Emac| 


reset-location(t) 
Pre: i;.0 = length(l;.e) 
Eff: U:.e :€ out(li.e) 
l;.7:=0 


Trajectories: 


Variables 


Internal: 
£; ER, for all 2 € J, initially #; € R 
brake(2) € Bool, for all i € J, 
initially False 
brake-req(t, 7) € Bool, for alli € 1,9 € J, 
initially False 
Output: 
l; € L, for all « € J, initially l; € £ 
z; ER, for all 2 € J, initially «; € R 
collided(i, t') € Bool, for all 2,7’ € I,1’ 41, 
initially False 
subject to VALID 


colliding-pair(i, 7’) 
Pre: acollided(i, 1’) 

A(E; Ny A 0) 
A(ki < min(£; a] Ey)) 
collided(i, t') := True 
if (i.e A ve) 

A(Ui-€.Ufinal = ly .€.Ufinal) 
then 

collided(i’, i) := True 


EFF: 


collision-effects(1) 
Pre: collided(*, i, *) 

Eff: #; :€ R2° 
£,:ER 


brick-wall(1) 
Pre: True 
Eff: «; :=0 
if brake(t) then #; := 0 
else 2; :€ [0,Cmaz] 


for all t,2' € I, 47’, colléded(i,1’) is constant throughout w 
for alli € [ and 7 € J, brake(i) and brake-req(t, 7) are constant throughout w 


for all 2,2, CT,2 Ad! 
the function w.z#; is integrable 
for all t € T; 
w(t).@; = w(0).a;) + in w(s).d; ds 
w(t).&.¢ = w(0).G.0 + fo w(s).a; ds 
if sw. collided(1, 1’) 
A(w(t).E; al w(t). By x ) 
A(w(t). < min(w(t).£; 
then 
t= w.ltime 
if w(t).j.c = length(w(t).l.e) then 
t= w.ltime 


subject to VALID 


w(t). Ey) 
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is located on a vertex of the graph G. At that point in time, its location is nondetermin- 
istically set to the initial point of an arbitrary outgoing edge of the vertex on which the 


vehicle z is located. 


The remaining state variables, derived variables, and discrete actions of either the VEHICLES 
automaton of Chapter 4, or the MERGE-VEHICLES automaton of Chapter 7 as well as the 
notational shorthand collided(i, +), collided(+*,i), and collided(*,i,*), for all « € I, defined 
for the VEHICLES automaton in Section 4.1, carry over to the GRAPH-VEHICLES automaton 


unchanged. 


As in the case of the MERGE-VEHICLES automaton, the set of input actions of the GRAPH- 
VEHICLES automaton includes the actions protect(C);, for C € P(I) and j € J; that is, 
the GRAPH-VEHICLES automaton allows each protector 7, for 7 € J, to brake any subset 
of the vehicles. However, it is often the case that a protector 7, for some 7 € J, need 
not schedule but a subset of the actions protect(C),, for C € P(1). In such cases, the 
protector 7 is specified as having only the output actions that it is capable of scheduling 


and the remaining input actions of the GRAPH-VEHICLES automaton on port 7 are ignored. 
The VALID set of the GRAPH-VEHICLES automaton is the redefinition of the VALID set of 


the VEHICLES automaton to account for the new track topology representation. 


VALID C states(GRAPH-VEHICLES), defined as the set of states of the GRAPH-VEHICLES 


automaton that satisfy the following conditions: 


fi,’ €T,i 4 iW, such that the set E;M Ey contains a positive length closed 


interval of L. 

. &; > 0, for all a € If. 

. If acollided(*, i, *) then %; € [€min, émax], for all 7 € L. 

. If scollided(*,t,*) A brake(i) then if 4; = 0 then #; = 0 else &; = €hyane, for all 
wel. 


The GRAPH-VEHICLES automaton complies with the assumptions made about the PP au- 
tomaton in Section 3.2.1. The GRAPH-VEHICLES automaton has neither input variables, nor 
output actions, on any of its ports (Axioms 3.2.1 and 3.2.2, respectively). Moreover, each 
of the actions protect(C;);, for 7 € J and C; = {2 | brake-req(i,j) = True}, is a no-op 
input action on port j for any R C VALID. Therefore, the set of no-op input actions on 
each port 7 € J and any Rk C VALID is non-empty (Axiom 3.2.3). 
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8.2. Auxiliary Derived Variables and Auxiliary Sets for the 
GRAPH-VEHICLES Automaton 


In this section, we define auxiliary derived variables and sets for the GRAPH-VEHICLES 
automaton. Most of these variables and sets carry over from either the VEHICLES, or the 
MERGE-VEHICLES automata. In such cases, the variables and sets are redefined only when 


their extension to the GRAPH-VEHICLES automaton is not obvious. 


As in Chapter 7, we assume that the variables stop-dist;, maz-range;(t), and maz-vel;(t), 
defined for the VEHICLES automaton in Section 4.3, extend to involve location instead of 


position variables in the obvious way. 


As in the case of the extents of the vehicles of the GRAPH-VEHICLES automaton, we redefine 
the sections of track owned and claimed by the vehicles in the GRAPH-VEHICLES automaton. 


While their formal definitions appear in Table 8.1, their informal interpretations follow. 


O;, for 2 € J, is the section of track that the vehicle « “owns”. A vehicle « owns all 
track intervals that extend from the current position of the vehicle 7 to the points on 
the track that the vehicle 7 can reach even if it is braked immediately. Due to the 
possibility of such track intervals extending beyond a split in the track topology, the 


variable O; is the union of all the intervals that the vehicle 7 owns. 


C,(t), for i € Tandt € R2°, is the section of track that the vehicle 7 “claims” within ¢ time 
units. A vehicle 2 claims within ¢ time units all track intervals that extend from the 
current position of the vehicle 2 to the points on the track that the vehicle 7 can reach 
if braked after ¢ time units and assuming worst-case vehicle behavior up to the point 
in time when it is braked. Due to the possibility of such track intervals extending 
beyond a split in the track topology, the variable C;(¢) is the union of all the intervals 


that the vehicle 7 claims within ¢ time units. 


Henceforth, we assume that the sets disjoint-extents(i, i’), disjoint-owned-tracks(i, i’), and 
disjoint-claimed-tracks(i, i’, t), for i,i’ € I,i # wv’ and t € R2°, defined for the VEHICLES 
automaton in Section 4.3, have been extended to the GRAPH-VEHICLES automaton to in- 
corporate the redefinitions of the derived variables used in their definitions. Moreover, we 
assume that the Lemmas 4.4.1, 4.4.2, 4.4.3, 4.4.4, and 4.4.5 extend to the GRAPH-VEHICLES 


automaton in the obvious way. 


Several auxiliary sets for the GRAPH-VEHICLES automaton are described below. Their formal 


definitions appear in Table 8.2. 


successive(i,i’), for t,¢’ € I,i # wv, is the subset of VALID that consists of the states 


in which the vehicles i and 7’ are traveling in succession either on the same, or on 
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Table 8.1 Auxiliary derived variables for the GRAPH-VEHICLES automaton. 
O; C £, for all i € I, defined by 


 € l;4+(stop-dist;+cien ) 


Ci(t) C L, for allie I and t € R2°, defined by 


C(t) = UJ ;,U) 


a 
U € Lj+(mar-range;(t)—max-vel;(t)?/(2ésrate)+Cten ) 


successive directed edges; that is, states in which either the vehicle i is downstream 


of the vehicle 7’, or the vehicle 7’ is downstream of the vehicle 7. 


adjacent(i, i’), for i,’ € [1,1 #7, is the subset of VALID that consists of the states in which 
the vehicles ¢ and 7’ are traveling on different tracks that lead to the same junction; 
that is, the edges on which the vehicles 7 and ?’ are traveling are distinct and have the 


same final vertex. 


proximate(2, 2’), for 7,2’ € I, # 7’, is the subset of VALID that consists of the states in 
which the vehicles 7 and 2’ are traveling either in succession as defined by the set 


successive(t, i’), or on adjacent tracks as defined by the set adjacent(i, ’’). 


remote(i,?’), for i,t’ € I,i # w, is the subset of VALID that consists of the states in 
which the vehicles i and 7’ are traveling neither in succession as defined by the set 


successive(t, i’), nor on adjacent tracks as defined by the set adjacent(?, i’). 


yield-successive(t, 2’), for 7,2’ € 1,1 #1, is the subset of successive(?, i’) that consists of the 
states in which, in the case of a claim overlap among the vehicles 7 and 7’, the vehicle i 
must yield to the vehicle 7’. When the vehicles 7 and 7’ are traveling in succession, 
the vehicle ¢ must yield to the vehicle 7’ if the vehicle @ is trailing the vehicle i’. The 
vehicle 7 is said to be trailing the vehicle 7’ if the location of the vehicle i is strictly 


less than the location of the vehicle 2’. 


yield-adjacent(t, i’), for 7,’ € I,7 # wv, is the subset of adjacent(i, 2’) that consists of the 
states in which, in the case of a claim overlap among the vehicles 7 and 2’, the vehicle 7 
must yield to the vehicle 7’. When the vehicles 7 and 2’ are traveling on adjacent 
incoming tracks, the vehicle i must yield to the vehicle ¢’ if either only the vehicle 7’ 
owns the upcoming merge point, or the vehicle 7’ has priority and neither or both 


vehicles own the merge point. 


yield(i, i’), for i,’ € 1,i Zw’, is the subset of VALID that consists of the states in which, 
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Table 8.2 Auxiliary sets for the GRAPH-VEHICLES automaton. 
successive(i, i’) C VALID, for i,’ € 1,i #7, defined by 


successive(i,?’) = {p € VALID | (p.ly.e = p.lir.e) 
Vv (p.l;.€.Ufinat = pli .€.Vinst) 


Vv (p.li.€.Ufinal = p.li.e.vinit) } 


adjacent(i, i’) C VALID, for i,t’ € T,t #7, defined by 


adjacent(i, i’) = {p € VALID | (p.l.e Z p.lis.e) A (p.li-€.Ufinal = ply e.vfinat) } 


prozimate(t, i’) C VALID, for i,i’ € 1,1 #7’, defined by 


proximate(i, t’) = successive(i, i’) U adjacent(?, i’) 


remote(t,t’) C VALID, for i, € 1,4 #1, defined by 


remote(i, i’) = VALID — prozimate(i, 7’) 


yteld-successive(t, ) C VALID, for i,’ € 1,1 #7, defined by 


yield-successtve(i, 7’) = {p € successive(i, t’) | p.ly < p.dir} 


yteld-adjacent(t, 7’) C VALID, for i, € 1,147, defined by 
yield-adjacent(i, i’) = {p € adjacent(2, i’) | ((p.k.e, length(p.l.e)) € p.O; 
A (p.li.e, length(p.lr.e)) € p.O;) 

V ((p.k.e, length(p.t;.e)) € p.O; 
A (p.his.e, length(p.t.e)) € p.O} 
A priority(p.l.e) < priority(p.ly.e)) 

V ((p.li.e, length(p.l;-e)) € p.Oi 
A (p.ly.e, length(p.lyy.e)) € p.0 


A priority(p.l.e) < priority(p.ly.e))} 


yteld(i, i’) C VALID, for i, € 1,1 # @, defined by 


yield(i, i’) = yield-successive(t, i’) U yteld-adjacent(?, 7’) 
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in the case of a claim overlap among the vehicles i and 7’, the vehicle 7 must yield to 


the vehicle 2’ in order to prevent a potential collision between the vehicles 7 and 7. 


The following lemma describes some properties of the sets defined above. 


Lemma 8.2.1 For alli,i’ € 1,i# i’, the following hold: 


be 


Sa oOo *~ ww we 


. VALID = proximate(i, i’) U remote(i, i’). 

. proximate(t, tv’) N remote(i, i’) = 0. 

. successive(t, i’) = yield-successive(i, i’) U yield-successive(t’, i). 
. yield-successive(i, 1’) N yield-successive(i’,i) = 0. 

. adjacent(t, i’) = yield-adjacent(i, i’) U yield-adjacent(?’, i). 


. yield-adjacent(i, i’) M yield-adjacent(i’,i) = 0. 


Proof: We prove each of the conditions separately: 


1. 


The condition that VALID = proximate(i, 1’) U remote(i, i’), for each 2,2’ € Ti #1, 


follows from the definition of the sets proximate(?, 2’) and remote(%, 2’). 


. As for the first condition, the condition that proximate(i, i’)Mremote(?, 0’) = 0, for each 


i,v’ €T,i4 7, follows from the definition of the sets prorimate(i, i’) and remote(?, ?’). 


. For all i,i’ € T,i #7, the sets yield-successive(i, i’) and yield-successive(t’,i) are both 


subsets of the set successive(i, i’). Therefore, it suffices to show that any state p in the 
set successive(i, i’), for some i,t’ € I,7 # 2’, is either in the set yield-successive(i, i’), 
or in the set yield-successive(i’, 7). 

Let the state p be any state in successive(i,i’), for some i,t’ € I,i # @’. Since 
successive(i,i’) C VALID, it is the case that p € VALID. Therefore, the sections 
of the track occupied by the vehicles 7 and 7’ do not have a positive length closed 
interval overlap. It follows that it is not possible for their locations to coincide; that 
is, for any p € successive(t, 7’), it is the case that pl; # pti. Therefore, regarding the 


ordering of the locations of the vehicles i and 7’, there are only two viable cases: 


(a) pl; < ply. In this case, p € yield-successive(t, i’). 
(b) p.ly < p.l;. In this case, p € yield-successive(t’, i). 


_ If p € yleld-successive(i, i’) then it is the case that p.l; < ply. It follows that p ¢ 


yield-successive(t’,i). Similarly, if p € yield-successive(2’,i) then it is the case that 


pli < p.l;. It follows that p ¢ yield-successive(i, i’). This suffices. 
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5. For all i,7’ € I,7 4 7’, the sets yield-adjacent(i, i’) and yield-adjacent(i’,i) are both 
subsets of the set adjacent(i, i’). Therefore, it suffices to show that any state p in the 
set adjacent(i, 2’), for some 2,2’ € 1,7 # 7’, is either in the set yield-adjacent(i, i’), or 
in the set yield-adjacent(t’, i). 

Let the state p be any state in adjacent(i, i’), for some t,t’ € 1,1 4 7’, and without loss 
of generality let the vehicle 7’ be the vehicle traveling on the incoming edge of greater 
priority, i.e., priority(p.l;.e) < priority(p.ly.e). Regarding the ownership of the merge 


point by each of the vehicles, there are four cases: 


(a) (out,0) € p.O; A (out,0) € p.Ow. In this case, p € yield-adjacent(i, i’) and 
p¢ yteld-adjacent(t’, i). 

(b) (out,0) ¢ p.O; A (out, 0) ¢ p.Ow. Similarly to above, p € yield-adjacent(i, 1’) and 
p¢ yteld-adjacent(t’, i). 

(c) (out,0) ¢ p.O; A (out,0) € p.Ow. In this case, p € yield-adjacent(i,i’) and 
p¢ yteld-adjacent(t’, i). 

(d) (out,0) € p.O; A (out,0) ¢ p.Ow. In this case, p ¢ yield-adjacent(?,i’) and 
peé yteld-adjacent(t’, i). 


6. This condition follows from the analysis in the proof of condition 5. 


8.3 Protection System GRAPH-PROT-PAIR4; i} 


The GRAPH-PROT-PAIR,; ;, automata, for 2,7’ € I,i #7’, are vehicle-pair collision protectors 
and guarantee that the vehicles i and 7’ do not collide into each other, provided that all the 
vehicles are abiding by the speed limit and the vehicles of all other vehicle pairs do not collide 
between themselves. Each of the GRAPH-PROT-PAIRs; jy protectors, for @, UeliF#d,isan 
implementation of the abstract protector of Section 3.2 specialized to particular definitions 
of the parameters PP, S, Rk, G, 7, and d. 


The physical plant automaton, PP, is defined to be the GRAPH-VEHICLES automaton of 
Figure 8.1. The port 7 and the sampling period d are defined to be the port and sampling 
period with which the protector GRAPH-PROT-PAIRs; 7; communicates with the GRAPH- 
VEHICLES automaton. While the port 7 is assumed arbitrary, the sampling period d is 
restricted to the set (0,dmax], Where dmax is the maximum protector sampling period pre- 
sented in Section 8.1. The set of “good” states G is defined to be the set of states in which 
the vehicles i and 7’ have not collided into each other, i.e, G = VALID — Preottided(i,i") — 
Preottidea(iti) In this chapter, we use the notation Gy; ;n to denote the definition of G 
that is specific to the GRAPH-PROT-PAIR 4; 7} protector. The set R is defined to be the 
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set R = Prot-overspeed () (raz Lil fil" Lil" i ALG} Gunn): This definition restricts the 
states of the GRAPH-VEHICLES automaton to states in which all the vehicles are abid- 
ing by the speed limit and in which the vehicles of all other vehicle pairs {7”,i’”}, for 
Ue eT FU Li} F 2, '}, have not collided into each other. The set S is defined 
to be the set safe defined in Section 3.2.1; that is, the set of states of the PP automaton 
for which a single input action of PP on port 7 can guarantee that, provided no new input 
actions on port 7 are allowed, all subsequently R-reachable states will be in G. Once again, 
the definition of the set safe is specialized to the above definitions of the automaton PP, 
the sets R and G, and the port 7. In this chapter, we use the notation Ry; jy and S'r; 7, to 
refer to the above definitions of the sets R and S. 


The GRAPH-PROT-PAIR 4; 7} protector automaton is an implementation of the abstract pro- 
tector automaton Abs(GRAPH-VEHICLES, Soins Rein, @uinsd d). More precisely, as is the 
case for the abstract protector Abs;, we define the GRAPH-PROT-PAIRy; ;7, automaton to 
be the composition of a sensor and a discrete controller automaton. These automata are 
implementations of their abstract equivalents of Figures 3.2 and 3.3 specialized, however, 
to the above definitions of the parameters PP, S, Rk, G, 7, and d. The sensor automaton is 
precisely the specialization of the sensor automaton of Figure 3.2 to the above definitions 


of the parameters PP, etc. The discrete controller automaton is defined in Figure 8.2. 


The braking strategy of the GRAPH-PROT-PAIR ¢; ; protector is as follows. The protector is 
allowed to brake the vehicles 7 and 2’ only if the sections of the track they claim in d time 
units overlap. Given that the vehicles 7 and 7’ are indeed involved in such a claim overlap, 
there are two possible scenarios depending on whether the vehicles 7 and 7’ are traveling 
in succession, or on adjacent tracks. If the vehicles are traveling in succession, then the 
vehicle 7 is instructed to brake if it trails the vehicle 7’; otherwise, the vehicle 7’ is instructed 
to brake. On the other hand, if the vehicles 7 and 2’ are traveling on adjacent edges, the 
vehicle 7 is instructed to brake either if only the vehicle 7’ owns the merge point, or if both 
or neither vehicles own the merge point and the vehicle 7’ is traveling on the edge of greater 


priority; otherwise, the vehicle 7’ is instructed to brake. 


It is important to note that the abstract protector automaton Abs(GRAPH-VEHICLES, Sf; i, 
Rein, Gn, J, 0) complies with the assumptions made about the abstract protector in Sec- 
tion 3.2.1. In particular, since the vehicle location variables, the vehicle velocity variables, 
and the collided variables are output variables of the GRAPH-VEHICLES automaton, the set 
safe is Yonapu-ventcuns-determinable and actions that guarantee safety can be determined 
from the output variables of the GRAPH-VEHICLES automaton (Axioms 3.2.4 and 3.2.5, 
respectively). Moreover, the sets Rein and Gian are Yorapu-venicpps-determinable (Ax- 
ioms 3.2.6 and 3.2.7, respectively) and the set of start states Sy; j is a subset of the set 
safe (Axiom 3.2.8), since S; 3 is defined to be the set safe. 


In Section 3.1 it was shown that the abstract protector Abs; guarantees that the physical 
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Figure 8.2 Discrete controller automaton for the protector GRAPH-PROT-PAIR{; jy. 


Actions: Input: e, the environment action (stuttering) 
snapshot(y);, for each valuation y of Yorapu-ventcips 


Output: protect(C’),;, for C € P({i,7’}) 
Variables: Internal: send; € P({i,7’}) U null, initially null 


Discrete Transitions: 


snapshot(y); 
Eff: if y ¢ disjoint-claimed-tracks(i, v’,d) then 
if y € yield(2, 2’) then 


send; := {i} 
else 
send; := {i'} 
else 
send; := 0) 
protect(C); 
Pre: send; = C 


Eff: send; := null 


Trajectories: 
w.send; = null 


plant PP remains within G starting from S$ given &. Similarly, the GRAPH-PROT-PAIR 4; i 
automaton guarantees that the GRAPH-VEHICLES automaton remains within Gy; j starting 


from S'5; 3 given Ry; 74. This is shown in the following section. 


8.4 Correctness of GRAPH-PROT-PAIR{; j} 


The main result to be shown is that GRAPH-PROT-PAIR 4; 7) < Abs(GRAPH-VEHICLES, Sy; 74, 
Rein, Guin,d,d. Since both GRAPH-PROT-PAIR,; jy and Abs(GRAPH-VEHICLES, $4; 7, 
Rein, Ge ineds d) involve the composition of the same sensor automaton with distinct dis- 
crete controller automata, Theorem 2.7.4 applies. Therefore, it suffices to show that the 
discrete controller automaton of the protector GRAPH-PROT-PAIR 4; jy of Figure 8.2 imple- 
ments the discrete controller automaton DC(GRAPH-VEHICLES, Sy, 3n, Rein, @aan, J, d) of 
Figure 3.3. From Theorem 2.6.1, this follows by showing that there exists a simulation 


relation between the states of the discrete controller automaton of GRAPH-PROT-PAIR 4; 7} 
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Table 8.3 Sets used in the correctness proof of GRAPH-PROT-PAIR 4; j. 


Wri in C VALID, for i,’ € T,i #7, defined by 


Wei = Rein AG 44 A disjoint-owned-tracks(i, 7’) 


Bey C VALID, for i,t’ € 1,1 #1", defined by 


Bei iy = Wei 1 Pa OP By, 


Var) C VALID, for i,v’ € 1,1 #7, defined by 


Vai) = {p E Wein M Pp;; 


(p € successive(i,i’) A p.li < pir) 


V (p € adjacent(i, i’) A p.O; C [p.ki, (p.k-e, length(p.l;.e))])} 


Vii C VALID, for 7,1’ € 1,1 #7, defined by 


Veney = Veen U Vary 


Ti (t) C VALID, for i, €1,i #7, and t € R2°, defined by 


Tey (t) = Rey AG gi M disjoint-claimed-tracks(i, 7’, t) 


and the discrete controller automaton DC(GRAPH-VEHICLES, 55; in, Rein, Gey J,d). We 
first give some set definitions, then prove some lemmas, and finally show the existence of 


such a simulation relation. 


In this section, we use the notation future,; jy, safer; in, very-safes; jy, and delay-safes; jn 
to denote the specialization of the function future, the sets safe and very-safe, and the 
function delay-safe, which are defined in Section 3.2.1, to the automaton GRAPH-VEHICLES, 
the sets Ry; jy and Gy; 4, and the the port j of the GRAPH-PROT-PAIR,s; ; protector. 
Moreover, since the environment action of the GRAPH-VEHICLES automaton is stuttering, 


its consideration is omitted in all inductive proofs involving the PP automaton. 


We proceed by defining several sets that are used in the correctness proof of the protector 


GRAPH-PROT-PAIRs; ;. For reference, their formal definitions appear in Table 8.3. 


Let We; in be the subset of Re; i AG, 74 comprised of the states in which the section of the 
track owned by the vehicle i does not overlap the section of track owned by the vehicle 7; 


that is, Wyn = Rein A GE an N disjoint-owned-tracks(i, 2’). 


Let By; be the subset of of Wy; 7 comprised of the states in which the vehicles 7 and a 
are both being instructed to brake by the protector 7; that is, By jn = Wein Pa, 9 Psi, 
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Let Vi;,) be the subset of Wy; ;4 comprised of the states in which the vehicle 7 is being 
instructed to brake by the protector j and either the vehicles 7 and 7’ are traveling in 
succession and J; < lj, i.e., the vehicle 7 is trailing the vehicle i’, or the vehicles i and ?’ 
are adjacent and the section of the track owned by the vehicle 7 is entirely upstream of the 


merge point (out, 0). Moreover, let Vi; be defined as Vg; 9 = Viz inn U Vieira: 


Let Ty; i (t), where t € R2°, be the subset of Rein 1 Gein comprised of the states in 
which the section of the track claimed in time ¢ by the vehicle 7 does not overlap the 
section of the track claimed in time ¢ by the vehicle 2’; that is, Tr; y(t) = Ravin AG Gen 


disjoint-claimed-tracks( i, i’, t). 


The following lemma defines the relation among the sets Gin, Wyn, Bain, Vein, and 
Tint), for t € R2°, 


Lemma 8.4.1 For all t,t’ € R2°, t < t', the following hold: 


be 


Trin) CWeain C Guan. 
Vain CWein © Gagan. 
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Proof: Follow directly from the definitions of the sets Wy; in, Bain, Vain, and Ty in(7), 
where 7 € R2°, and Lemma 4.4.2. | 


In the next two lemmas, we show that any state pin the set By; ;y is in the set very-safe,; i; 
that is, any state Ry; ;j-reachable from p through an execution fragment that involves no 
input actions on port 7, is in the set Gy; 4. In the first lemma, we show that any state that 
is Re; 4-reachable from p through an execution fragment that involves no input actions on 


port j, is in the set Wy; ;4. In the second lemma, we show that By; 34 C very-safes; i. 
Lemma 8.4.2 futures (Beir, R2°) Cc Wein 


Proof: Let a be an execution fragment of the GRAPH-VEHICLES automaton of n steps and 
trajectories, where n € N, that: starts in a state in By; 7, is only comprised of states in 
Ry; 47, and involves no input actions on port 7. Let pinie and pfinay be the initial and final 
states of a, respectively. By induction on the length n of the execution fragment a, we 


show that Pfina © Wri. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, pgnal = Pinit- 


Since Pinit € Be; iy, Lemma 8.4.1, part 3, implies that pfina € Wi. 
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The inductive step involves showing that if a is an execution fragment of length n = &+1, for 
some k €N, then pyinar € Wry. Let a’ be the part of the execution fragment a comprised 
of the first & steps and trajectories. The induction hypothesis involves the assertion that if 
P'rinal is the final state of a’, then it is the case that Prinal € Wii. Since the final state 
of @ is reached from the final state of a’ by a single step, the inductive step involves the 


consideration of all possible steps and trajectories leading from Prinal tO Pfinal- 


In the case of a step, we consider all possible discrete actions by cases: 


1. the actions protect(C),;, for C € P({i,i’}), are not enabled because a involves no 


input actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle 2’, nor the collided(i, i’) and collided(i’, i) variables. 


From the induction hypothesis, it is the case that Prinal EWryin © Guin. There- 
fore, since the brick-wall(7) action does not affect the collided(, t’) and collided(i’, i) 
variables, it follows that pPfina € Gi i7- 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinale&i < Pinal ¥i- Moreover, since the brick-wall(7) action does not affect the veloc- 
ity of the vehicle #’, it is the case that jing ty = Plinal i From Lemma 4.4.3, part 1, 
it follows that pfina-Oi C Pana Oi and Pfinal-Oj C Phnat Oi Therefore, since Prnal € 
W467 G disjoint-owned-tracks(i, t’), it follows that pfina € disjoint-owned-tracks(t, 1’). 
Finally, since all states in a are, by definition, restricted to the set Ry; jn, it follows 
that Pfnal © Wei. 


3. the brick-wall1(?’) action sets the velocity of the vehicle 7’ to zero and affects neither 
the velocity of the vehicle 7, nor the collided(i, i’) and collided(i’, i) variables. 


From the induction hypothesis, it is the case that Prnal E Wyn SC Guin. Therefore, 
since the brick-wall(2’) action does not affect the collided(i,t’) and collided(t’, i) 
variables, it follows that pfnai € Gein. 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinaltit < Phnal til Moreover, since the brick-wall(?’) action does not affect the ve- 
locity of the vehicle 2, it is the case that pfingi-ti = Pinal ¥i- From Lemma 4.4.3, part 1, 
it follows that pfnal-Ov C Prenat Ov! and Pfinal-Oj C PlinalOi- Therefore, since Prinal € 
Wi C disjoint-owned-tracks(i, t’), it follows that pina € disjoint-owned-tracks(i, 7’). 
Finally, since all states in a are, by definition, restricted to the set Ry; ;n, it follows 
that Pfnal © Wey. 

4. the actions protect(C),, for C € P(L) and 7’ € J,j’ # j, brick-wall(2”), for 


” € T— {i,v}, and reset-location(?”’), for i” € I, affect neither the velocities of 


the vehicles 7 and ¢’, nor the collided(i, i’) and collided(i’,i) variables. 
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From the induction hypothesis, it is the case that Prnal EWrin CS Gin. Therefore, 
since the actions protect(C),/, for C € P(1) and j’ € J,j’ # j, brick-wall(i”), for 
” € I {i,v}, and reset-location(7’””), for 7” € I, do not affect the collided(i, 2’) 
and collided(i’,2) variables, it follows that pyinal € G4i,v’}- 


Moreover, since the input actions protect(C),, for C € P(1) and j’ € J,j’ # j, and 
the internal actions brick-wall(2”), for i” € I — {i,w’}, and reset-location(2”’), 


" € I, do not affect the velocities of the vehicles 7 and 7’, it is the case that 


for i 
Phinaleti = Pinal i and Pfnalti = Pinal i From Lemma 4.4.3, part 1, it follows 
that pfna-O; C Pina Oi and Pfinal-Ov C Pinal Oi Therefore, since Prinal E Win CS 


disjoint-owned-tracks(i, i’), it is the case that pfingi € disjoint-owned-tracks(i, 1’). 
Finally, since all states in a are, by definition, restricted to the set Ry; ;n, it follows 
that Pfnal © Wei. 
5. the internal actions colliding-pair(i”,7’”), for 7,2” € I,i” # 2”, and the inter- 
iy 


nal actions collision-effects(i’”), for i” € I, are not enabled because a is only 


comprised of states in Ry; jy and Prnal EW i. 


Since, Pinit € Bot) C Pp, 9 PB, and the execution fragment leading from pjniz to Prnal 
involves no input actions on port 7, it follows that Prinal © Pp PB. Therefore, in the 
case of a trajectory from Prinal tO Pfinal, Lemma 4.4.4, part 1, implies that pfing-O; C Pinal Oi 
and Pfinal-Oiv © PngrOir- Therefore, since py.) € Wein, C disjoint-owned-tracks(i, 1’), it 
follows that pgnai € disjoint-owned-tracks(1, 1’). Moreover, since Prinal EWerin SC Gin and 
the variables collided(i, i’) and collided(i’,i) remain constant throughout the trajectory, it 
follows that pfinai € Gi. Finally, since all states in a are, by definition, restricted to the 
set Ry; in, it follows that pyina € Wr, as needed. | 


Lemma 8.4.3 By; 3 C very-safes; yy. 


Proof: Follows directly from Lemma 8.4.2, Lemma 8.4.1, part 3, and the definition of 
very-safe in Section 3.2.1. | 


In the next three lemmas and the subsequent corollary, we show that the sets Wy; jy and 
safes; 7 are equal. First, we show that any state that is Ry; ;-reachable from a state p in 
Wy; through an execution fragment that involves no input actions on port 7 and has a 
limit time equal to zero, is in the set Wy; ;7. Then, we show that Wy; 34 C safes; jy and 
safer; in, © We; in. Finally, the subsequent corollary states that Wy; 34 = safe; jy. 


Lemma 8.4.4 futures; (Wein, 0) C Wein. 


Proof: Let a be an execution fragment of the GRAPH-VEHICLES automaton of n steps, 


where n € N, that: starts in a state in W,; jy, is only comprised of states in Ry; jy, involves 
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no input actions on port 7, and has a limit time equal to zero. Let pinig and Pfingi be the 
initial and final states of a, respectively. By induction on the length n of the execution 


fragment a, we show that pina € We; 74. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pyinal = Pinit- SINCE Pinit € Wein, 


it follows that Pfinat € W447. 


The inductive step involves showing that if a is an execution fragment of length n = &+1, for 
some k EN, then pfinar € Wy; i- Let a’ be the part of the execution fragment a comprised 
of the first & steps. The induction hypothesis involves the assertion that if Primal is the final 
state of a’, then it is the case that Prinal € Wy; 74. Since the final state of a is reached from 
the final state of a’ by a single step, the inductive step involves the consideration of all 


possible steps leading from Prinal tO Pfinal: 


To complete the induction, we consider all possible discrete actions by cases: 


1. the actions protect(C);, for C € P({t,2’}), are not enabled because a involves no 


input actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle 2’, nor the collided(i, i’) and collided(i’, i) variables. 


From the induction hypothesis, it is the case that Prnal EWriin C Guin. There- 
fore, since the brick-wall(7) action does not affect the collided(, i’) and collided(’, 1) 
variables, it follows that Pfina € Gi. 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-Li < Pinal @i+ Moreover, since the brick-wall(7) action does not affect the veloc- 
ity of the vehicle 7’, it is the case that pfnq)-ti = Pinal i From Lemma 4.4.3, part 1, 
it follows that pfina-Oi C Prinal-Oi and Pfinal-Ov C Prinat Oi Therefore, since Prinal € 
Wi C disjoint-owned-tracks(i, t’), it follows that pina € disjoint-owned-tracks(i, 7’). 
Finally, since all states in a are, by definition, restricted to the set Ry; ;n, it follows 
that Pfnal © Wey. 

3. the brick-wall(7’) action sets the velocity of the vehicle 7’ to zero and affects neither 


the velocity of the vehicle 7, nor the collided(i, 7’) and collided(2’,i) variables. 


From the induction hypothesis, it is the case that Prinal EWrin © Gain. Therefore, 
since the brick-wall(i’) action does not affect the collided(i,i’) and collided(i’, 7) 
variables, it follows that pPfina € Gi i7- 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Phinal& jr < Pinal til Moreover, since the brick-wall(z’) action does not affect the ve- 


locity of the vehicle 2, it is the case that pfingi-ti = Pinal ti+ From Lemma 4.4.3, part 1, 
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it follows that pfinaOv C Pinar Oi! and pfinal-Oi C Pinar Oi: Therefore, since Prnal € 
Wi C disjoint-owned-tracks(i, t’), it follows that pina € disjoint-owned-tracks(i, 7’). 


Finally, since all states in a are, by definition, restricted to the set Ry; ;n, it follows 


that Pyinal © Weir. 
4. the actions protect(C),, for C € P(L) and 7’ € J,j’ # j, brick-wall(2”), for 


” € T— {i,v}, and reset-location(i”’), for i” € I, affect neither the velocities of 


the vehicles 7 and ¢’, nor the collided(i, i’) and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prnal E Wyn SC Guin. Therefore, 
since the actions protect(C),, for C € P(L) and 9’ € J, 7’ A j, brick-wall(7”), for 
” € I {i,v}, and reset-location(7’””), for 7” € I, do not affect the collided(i, 2’) 
and collided(i’,2) variables, it follows that pjinal € Gfi,v}- 


Moreover, since the input actions protect(C’),, for C € P(1) and 7’ € J,j’ # J, and 
the internal actions brick-wall(2”), for i” € I — {i,w’}, and reset-location(2”’), 


" € I, do not affect the velocities of the vehicles 7 and 7’, it is the case that 


for i 
Pfinal-&i = Pinal Xi and Pfinal-ty = Pinal til: From Lemma 4.4.3, part 1, it follows 
that pfna-O; C Pina Oi and Pfinal-Ov C Pinal Oil Therefore, since Prinal E Wain C 


disjoint-owned-tracks(i, i’), it is the case that pfna € disjoint-owned-tracks( i, i’). 
Finally, since all states in a are, by definition, restricted to the set Ry; jn, it follows 
that Pfnal © Wei. 

5. the internal actions colliding-pair(?”,i’”), for i”, i” € [,i" # i”, and the inter- 
nal actions collision-effects(i”), for 7” € I, are not enabled because a is only 


comprised of states in Ry; jy and Prinal EW in. 
a 


Lemma 8.4.5 Wy; in C safes; jn. 


Proof: From the definition of safe in Section 3.2.1, we must show that any state p € Wz; in 
satisfies: (i) future;; 74(p,0) C Grin, and (ii) there exists some input action 7 on port j 
such that for every p’,p" € Ry in satisfying p! € futures; »(p,0) and p' + p", it is the case 
that p” € very-safes; in. 


(i) Since p € W,; 4, the first condition follows from Lemma 8.4.4 and Lemma 8.4.1, part 1. 
(ii) For the second condition, let 7 be the action protect({?, 2’});. 


From Lemma 8.4.4, it follows that p! € Ws; 3. Now, considering the step from p’ to p”, since 
the protect({i,2’}); action affects neither the velocity of any of the vehicles, nor any of the 
collided variables, it follows that p” € Ryan, p" € Guay, pt; = pl.aj, and p".ty = play. 
Therefore, Lemma 4.4.3, part 1, implies that p”.O; C p’.O; and p”.Oy C p’.Oy. Since 
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pe Wy; i, it follows that p" € disjoint-owned-tracks(i, i’). From the above conditions, it 
follows that p" € Wy; i. 


Moreover, since the protect({i,i’}); action sets the internal variables brake-req(i,7) and 
brake-req(i’, j) to True, it is the case that p” € Pp, Pg,,,. Since p" € We; an, it follows 
that pl E By in. 


Finally, Lemma 8.4.3 implies that p” € very-safes; jy, as needed. | 


Lemma 8.4.6 For any p€ Rein, if p € safer; in then p€ Wy in. 


Proof: We show the contrapositive; that is, for any p € Ry in, ifp ¢@ Wain then p ¢ 
safer in. Since Wein = Rein A Gen O disjoint-owned-tracks(i, 7’) and p € Rein, we 
consider the conditions p ¢ Gy; and p ¢ disjoint-owned-tracks(i, i’) separately. 


lL. p~ GAN. 
From Lemma 3.2.4, part 1, it is the case that safes; jj C Grin. Since p € Gain, it 
follows that p ¢ safer; jn. 

2. p & disjoint-owned-tracks(1, 2’). 
We must show that p ¢ safes; ,. In order for the state p € Ry; 3 to be in the 
set safey;; there must exist some input action 7 on port j such that for every 
P,P” © Rein satisfying p’ € futures; 7 (p,0) and p’—> p”, it is the case that p” € 
very-safes; i. Therefore, it suffices to show that for any input action 7 on port j, 
there exist p’,p” € Rijn satisfying p’ € future;;i4(p,0) and p’—> p", such that 
p" € very-safes; ir. 
Using similar analyses to those presented in the proofs of Lemmas 6.2.9 and 7.4.10, 
it can be shown that for any p € Ry; and any input action 7 on port 7, there 
exist p’,p” € Re; in satisfying p’ € future; i(p,0) and p’—> p”, such that p” ¢ 
very-safe,; i. It follows that p ¢ safes; 7, as needed. 


Corollary 8.4.7 W5; in = safe;; i. 


Proof: Follows directly from Lemmas 8.4.5 and 8.4.6. | 


In the following three lemmas, we show that any state Ry; ;,-reachable from a state in V(; 7 
through an execution fragment that involves no input actions on port 7 and has a limit time 
that lies in the interval [0, daz], is in the set W,; ;4. In the first lemma, we show that if the 


final state of such an execution fragment is in Gy; 7, and the section of track owned by the 
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vehicle i has not grown since the beginning of the execution fragment, then the final state 
of the execution fragment is in Wy; ;. In the second lemma, we show that the final state 
of any such execution fragment is in Gy; ; and the section of track owned by the vehicle 
t does not grow throughout the execution fragment. The third lemma states the desired 


property which follows directly from the first two lemmas. 


Lemma 8.4.8 Let p € Vi;,;7 and pe futures; (Pp, [0,dmax]). If p’ € Gain and p’.O; C 
p.O;, then p E Wein. 


Proof: We need to show that p’ ¢ Wy; 4; that is, we need to show that the state p’ is in the 
set Ry in AG gn N disjoint-owned-tracks(t, 0’). Since p’ € Gy; 7, by assumption, it remains 
to be shown that p’ € Rein and p’ € disjoint-owned-tracks(i, i’). We consider these two 


conditions by cases: 


1. py € Rein. 
This is the case because the function futures i (p, R2°) only considers Rg; jn-reachable 


states. 
2. p’ € disjoint-owned-tracks(i, i’). 


Since p € Vii, there are two possible scenarios: (i) p € successive(i,i’) and p.l; < 
pli, (ii) p € adjacent(i, i’) and p.O; C [p.li, (p.li.e, length(p.l;.e))]. 

In the first case, it is as if the vehicle ¢ is trailing the vehicle 7’ on a single track. Since 
P © Vaan GC Wein, the sections of the track owned by the vehicles 7 and a’ in state 
p are disjoint. Now, consider the section of track owned by the vehicle 7 in the state 
p’. Since p’.O; C p.O;, it follows that p.l; = min(p.O;) < p’.l; = min(p’.O;) and there 
exist locations in p.O; that are at least as downstream as any of the locations in p’.O;. 
Next, consider the section of track owned by the vehicle 7’ in the state p’. Because 
of the non-negative constraint on the vehicle velocities it follows that the location 
ply = min(p’.O;,) is either equal to, or downstream of the location p.l;, = min(p.O;). 
Moreover, the sections of track owned by the vehicle 7’ in state p’ could only range 
from the location p'.l; up to the locations that are a distance Az, _, downstream 
from the location p.l;. Therefore, because of the constraint on the length of the edges 
in the track topology and the constraint on the minimum number of edges comprising 


a cycle in the track topology, it follows that p’ € disjoint-owned-tracks(t, 0’). 
In the second case, since p.O; C [p.li, (p.lj.e, length(p.l;.e))|, the section of the track 


owned by the vehicle 2 in state p is strictly within the incoming directed edge p.l;.e. 
Since p’.O; C p.O;, the same is true for the section of track owned by the vehicle i 
in state p’. Similarly to above, because of the non-negative constraint on the vehicle 
velocities it follows that the location p'.l;, = min(p’.O;) is either equal to, or down- 


stream of the location p./;, = min(p.O;). Moreover, the sections of track owned by 
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the vehicle 7’ in state p’ could only range from the location p’./;; up to the locations 
that are a distance Az, downstream from the location p.l;. Therefore, because 
of the constraint on the length of the edges in the track topology, the constraint on 
the minimum number of edges comprising a cycle in the track topology, the fact that 
the vehicles are traveling on adjacent tracks in state p, and the fact that the section 
of track owned by the vehicle ¢ remains within the incoming branch, it follows that 


p’ € disjoint-owned-tracks(i, i’). 


Lemma 8.4.9 If p € Vi;in and p' € futures; 4 (p,[0,dmax]), then it is the case that p' € 
Gein and p'.O; C p.O;. 


Proof: Let a be an execution fragment of the GRAPH-VEHICLES automaton of n steps and 
trajectories, where n ¢ N, that: starts in a state in Vi; j, is only comprised of states in 
Ry; 44, involves no input actions on port 7, and has a limit time that lies in the interval 
[0,dmaxr]. Letting pinj and pgnai be the initial and final states of a, respectively, we must 
show that Pfinal € Guin and Pfinal-Oi © Pinit-O;. The proof is by induction on the length n 


of the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, pgnal = Pinit- 
From Lemma 8.4.1, part 2, and the fact that pint © Vin C Vejen, it follows that pfinai € 
Gin. Moreover, the fact that pfna-Oi C Pinit-O; is trivially true. 


The inductive step involves showing that if a is an execution fragment of length n = &+1, for 
some k € N, then pina € Gian and Pfinal-Oi © pinit-O;. Let a’ be the part of the execution 
fragment a comprised of the first & steps and trajectories. The induction hypothesis involves 
the assertion that if p/,,, and Primal are the initial and final states of a’, respectively, then 
it is the case that peg) © Geir, and Peng Oi © Pjnit-Oi- Moreover, from Lemma 8.4.8 it 
follows that Prnal € Wy; in. Since the final state of a is reached from the final state of al 
by a single step or trajectory, the inductive step involves the consideration of all possible 


steps and trajectories leading from Prinal tO Pfinal- 


In the case of a step, we consider all possible actions by cases: 


1. the actions protect(C),;, for C € P({i,i’}), are not enabled because a involves no 


input actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle 7 to zero and does not affect 


the collided(i, i’) and collided(t’, i) variables. 


From the induction hypothesis, it is the case that Prinal € Gy; in. Therefore, since the 
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brick-wall(i) action does not affect the collided(i,i’) and collided(i’, i) variables, it 
follows that pfinal © Gfj,i7- 


Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that Pfnal-ti < Pinal ¥i- From Lemma 4.4.3, part 1, it follows that pyinqO; C Plinat Oi 
However, from the induction hypothesis it is the case that Prinal-Oi C pi ipOi. There- 
fore, since Pinjt = Pini, it follows that pfinat-Oi C pinit-Oj, as needed. 


3. the actions protect(C),, for C € P(L) and j’ € J,j’ # j, brick-wall(?”), for 
” € 1," # i, and reset-location(?’”), for i” € I, affect neither the velocity of the 


vehicle 7, nor the collided(i, i’) and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prinal € Grin. Therefore, since 
the actions protect(C),, for C € P(L) and j’ € J,j’ # j, brick-wall1(i”), for 
” € T,t" # i, and reset-location(?””), for i” € I, do not affect the collided(i, 2’) 
and collided(i’,2) variables, it follows that pyinal € G4}. 


Moreover, since the input actions protect(C),, for C € PU) and 7’ € J,j’ Fj, and 

the internal actions brick-wall(i”), for i” € I,i” # i and reset-location(i”’), for 

e” € I, do not affect the velocity of the vehicle i, it is the case that pgng.t; = Pinal ¥i- 
From Lemma 4.4.3, part 1, it follows that pfingO; C Plinal-Oi- However, from the 
induction hypothesis it is the case that Phat Oi C pi» it-Oi. Therefore, since pinit = 
Dienit it follows that pfingl-Oi C Pinit-Oi, as needed. 

4. the internal actions colliding-pair(?”,i’”), for i”,i” € I,i" # i”, and the inter- 
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nal actions collision-effects(i’”), for i” € I, are not enabled because a is only 


comprised of states in Ry; jy and Prinal E We; in. 


Since Pini © Voir) C Pp,, and the execution fragment leading from pj,;. tO Peng) involves no 
input actions on port 7, it follows that Prinal € Pp,,. Therefore, in the case of a trajectory 
from Prinal tO Pfnal, Lemma 4.4.4, part 1, implies that pyinagi-O; C Plinal-Oi- However, from 
the induction hypothesis it is the case that pip, .-Oi © Pinit-Oi- Since Pinit = Pinits it follows 
that pfna-Oi © Pinit-O;. Moreover, since Prinal € Gy, 4n and the variables collided(2,7’) and 
collided(’,?) remain constant throughout the trajectory, it follows that pfina) € Gin, as 
needed. a 


Lemma 8.4.10 futures; in (Vii, (0, dmax]) © Wir. 


Proof: Follows directly from Lemmas 8.4.8 and 8.4.9. | 


In the following lemma, we extend the result of Lemma 8.4.10 to the set Vj; jy. 
Lemma 8.4.11 futures; (Vein, [0, dmax]) C Wein. 
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Proof: Follows directly from Lemma 8.4.10 and the fact that Vy; 34 = Vin) U Vy. | 


The following lemma states that any state p in the set Vj; jy is in the set delay-safes; (ad); 
that is, any state Ry; ;-reachable from p within an amount of time d through an execution 
fragment that involves no input actions on port 7, is in the set Gy; 7 and any state Ry; j- 
reachable from p in exactly an amount of time d through an execution fragment that involves 


no input actions on port 7, is in the set safes; i. 
Lemma 8.4.12 Vj; jn © delay-safe;; i(d). 


Proof: Follows from Lemma 3.2.4, part 1, Lemma 8.4.11, Corollary 8.4.7, and the fact that 
d < dman: a 


In the next few lemmas, we show that any state p in the set Ty; ;(¢), for any ¢ € R2°, is 
in the set delay-safes; y(t); that is, any state Ry; ;4-reachable from p within an amount of 
time ¢ through an execution fragment that involves no input actions on port 7, is in the 
set Gy; in and any state Ry; jy-reachable from p in exactly an amount of time t through an 


execution fragment that involves no input actions on port 7, is in the set safes; jy. 


Lemma 8.4.13 Let p €7,; (7), where rT € R2°, and p! € futures, 7 (p,t), where t € [0,7]. 
[fp € Guin, PCr —t) C p.Ci(r), and p'.Cu(r — t) C p.Cy(r), then p! € Te in(t — 2). 


Proof: We need to show that p! € Ry in 1 Gian M disjoint-claimed-tracks(i, 1’, 7 — t). 
Since p’ € Gyan, by assumption, it remains to be shown that p’ € Rein and p’ € 


disjoint-claimed-tracks(i, i’, 7 — t). We consider these two conditions by cases: 


1. p € Rein. 
This is the case because the function futures; (pt) only considers Ry; ;-reachable 


states. 
2. p’ € disjoint-claimed-tracks(1, 1’, 7 — t). 


Since p € Ty; (7), it is the case that p € disjoint-claimed-tracks(i,i’,7). There- 
fore, since p’.Ci(7 — t) C p.Ci(r) and p’.Cy(r — t) C p.Cy(r), it follows that p’ € 


disjoint-claimed-tracks( i, i’, 7 — t), as needed. 


Lemma 8.4.14 For all p € Ty in(7), where rT € R2°, and p! € futures; 4(p,t), where 
t € [0,7], it is the case that p' € Gyan, p.Ci(t —t) C p.C(r), and p!.Cu(r — t) C p.Cy(r). 
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Proof: Let rT € R2° and a be an execution fragment of the GRAPH-VEHICLES automaton of 
n steps and trajectories, where n € N, that: starts in a state in 7; ;(7), is only comprised 
of states in Ry; ;4, involves no input actions on port 7, and has a limit time ¢ that lies in 
the interval [0,7]. Letting piri and pfna be the initial and final states of a, respectively, we 
must show that pfinal © Gi, Pfinal-Ci(T —t) © pint-Ci(7), and Pfnal-Cu(T—t) © Pinit-Ci(7). 


The proof is by induction on the length n of the execution fragment a. 


For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pgnal = Pinit 
and a.ltime = 0, i.e.,t = 0. From Lemma 8.4.1, part 1, and the fact that pin € Tg i (7), it 
follows that pfnal € G47. Moreover, since t = 0, the facts that pfnal-Ci(t —t) C Pinit-Ci(7) 
and Pfnal-Ci(7 — t) C Pinit-Cy(7) are trivially true. 


The inductive step involves showing that if a is an execution fragment of length n =& +41, 
for some k € N, with a.ltime = t, where t € [0,7], then Pfnal © Giin, Pfina-Ci(t — t) C 
Pinit-Ci(T), and Pfinal-Cy(7 — t) C pinit-Cy(7). Let a’ be the part of the execution fragment 
a comprised of the first & steps and trajectories and let a’.ltime = t’, where t’ € [0,t]. The 
induction hypothesis involves the assertion that if p/,,, and Primal are the initial and final 
states of a’, respectively, then it is the case that peng) © Geiss PfinarCilT —U) © PiniteCil7), 
and PrngrCi(T — t') © Dinit-Ci(7). Moreover, from Lemma 8.4.13 it follows that ps; € 
Trin (7 —U). Since the final state of a is reached from the final state of a’ by a single 
step or trajectory, the inductive step involves the consideration of all possible steps and 


trajectories leading from Prinal tO Pfinal- 


In the case of a step, keeping in mind that the limit times of a’ and a are equal, i.e., t’ = t, 


we consider all possible discrete actions by cases: 


1. the actions protect(C);, for C € P({t,2’}), are not enabled because a involves no 


input actions on port 7. 


2. the brick-wall(7) action sets the velocity of the vehicle i to zero and affects neither 


the velocity of the vehicle 7’, nor the collided(i, i’) and collided(i’,i) variables. 


From the induction hypothesis, it is the case that Prinal € Gy; in. Therefore, since the 
brick-wall(i) action does not affect the collided(i,i’) and collided(i’, i) variables, it 
follows that pfnai € Gin. 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinale&i < Pinal ¥i- Moreover, since the brick-wall(7) action does not affect the veloc- 
ity of the vehicle #’, it is the case that jing ty = Pinal til: From Lemma 4.4.3, part 2, 
it follows that pfnal-Ci(7 — t) C PlinatCilT —t') and Pfinal-Ci(T —t) C Plinal'Cil(T —t'). 
However, from the induction hypothesis it is the case that Pinar cil? — ©) C pri CilT) 
and PengrCi(T — U) © DinieCi(7). Therefore, since pinit = Pinit, it follows that 
PfinaleCi(T — t) © pinit-Ci(7) and pénale-Cy(T — t) C pinst-Cy(7), as needed. 
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3. the brick-wall1(7’) action sets the velocity of the vehicle 7’ to zero and affects neither 
the velocity of the vehicle 7, nor the collided(i, i’) and collided(i’, i) variables. 


From the induction hypothesis, it is the case that Prnal € Gy; in. Therefore, since the 
brick-wall(7’) action does not affect the collided(i, i’) and collided(i’,7) variables, it 
follows that pfinal © G4j,i7- 


Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinalit < Pinal &i'- Moreover, since the brick-wall(?’) action does not affect the ve- 
locity of the vehicle 2, it is the case that pfingi-ti = Pinal ¥i- From Lemma 4.4.3, part 2, 
it follows that pfnal-Ci(7 — t) C PlinatCilT —t') and pfinat-Cu(t —t) © Plinat'Cil(T —t'). 
However, from the induction hypothesis it is the case that pp, .-Ci(T—U) © PinieCilT) 
and Plinal'Cil(T —) C piiC(7). Therefore, since pinit = Pini, it follows that 
PhinaleCi(T — t) C pinit-Ci(7) and pgnalCy(T — t) C pinit-Cu(7), as needed. 

4. the actions protect(C),, for C € P(L) and 7’ € J,j’ # J, brick-wall(2”), for 
” € T— {i,v}, and reset-location(i”’), for i” € I, affect neither the velocities of 


the vehicles 7 and 7’, nor the collided(i, 7’) and collided(2’,i) variables. 


From the induction hypothesis, it is the case that Prinal € Gin. Therefore, since 
the actions protect(C’),, for C € PUL) and j’ € J,j’ A J, brick-wall(i”), for 
“ET {i,v}, and reset-location(i”’), for i” € I, do not affect the collided(i, i’) 
and collided(i’,2) variables, it follows that pjinal € Gfi,v}- 


Moreover, since the input actions protect(C),, for C € P(I) and j’ € J,j’ Fj, and 
the internal actions brick-wall(2”), for i” € I — {i,w’}, and reset-location(2”’), 
for 7” € I, do not affect the velocities of the vehicles 7 and 2’, it is the case that 
Pfinale&i = Pinal Xi and Pfinal-tit = Pina ti: From Lemma 4.4.3, part 2, it follows that 
PfinaleCi(T — t) C Plinal'CilT — 0) and pfnal-Ci(7 — t) C Plinal'Cil(T — t'). However, 
from the induction hypothesis it is the case that pg, -Ci(t — U) © Pinge-Ci(7) and 
PrnatCil(T —U) © Pinit-Ci(7). Therefore, since pinit = Pinit it follows that pfina-Ci(T — 
t) C pinit-C (7) and pénaleCy(T — t) C pinst-Ci(7), as needed. 

5. the internal actions colliding-pair(?”, i”), for i”,i” € [,i” # i”, and the inter- 
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nal actions collision-effects(i’”), for i” € I, are not enabled because a is only 


comprised of states in Ry; jy and Prnal ET an(t — t'). 


In the case of a trajectory, Lemma 4.4.4, part 2, implies that pfnal-Ci(7—t) C PhinattCilT —U) 
and Pfinal-Ci(T — t) C Pinar Cil(T — t'). However, from the induction hypothesis it is the 
case that pp -Ci(t — U) C Pine Ci7) and pg -Ci(t — t) CS pinip-Ci(7). Therefore, since 
Pinit = Pini it follows that pfnal-Ci(t — t) C piniteCi(7) and pfnat-Ci(7 — t) C Dinit-Co(T). 
Moreover, since Prnal € Gain and the collided(i,i’) and collided(i’,i) variables remain 


constant throughout the trajectory, it follows that pfina € Gyji7y, as needed. | 
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Lemma 8.4.15 For tr € R2° and t € [0,7], it is the case that futures; n(Tain(t), 0) CS 
Tan (7 _ t). 


Proof: Follows directly from Lemmas 8.4.13 and 8.4.14. | 


Corollary 8.4.16 For any t € R2°, it is the case that futures; in (Pein), 9) S Tran (). 


Proof: Follows directly from Lemma 8.4.15. | 


Lemma 8.4.17 For any t € R2°, it is the case that Tin (t) C delay-safes; iy (t). 
Proof: From the definition of delay-safe in Section 3.2.1, we must show that: 


1. futures i (Tain, (0, t]) Cc Gein, and 
2. futures (Tain, C safes; jn. 


The first condition follows directly from Lemma 8.4.15 and Lemma 8.4.1, part 1. More- 
over, Lemma 8.4.15 and Lemma 8.4.1, part 5, imply that futures (Tr in()), 0) C Ween. 


Therefore, the second condition follows from Lemma 8.4.5. | 


In the following lemma, we show that the protector GRAPH-PROT-PAIRy; jy implements the 
protector Abs(GRAPH-VEHICLES, Sy; in, Rein, Gein, J,d). Since the protector automata 
GRAPH-PROT-PAIRs; ;7 and Abs; involve the composition of the same sensor automaton 
with distinct controller automata, it suffices to show that the discrete controller automa- 
ton of the protector GRAPH-PROT-PAIR,; j7, implements the discrete controller automaton 
DC(GRAPH-VEHICLES, 94; in, Rein, Gee, J, 4). 


Lemma 8.4.18 GRAPH-PROT-PAIR,; 7, < Abs(GRAPH-VEHICLES, 55; 9, Rein, Gui, J, @)- 


Proof: Both the GRAPH-PROT-PAIRs; ; and the Abs; protectors involve the composition 
of the same sensor automaton with distinct controller automata. From Theorem 2.7.4, 
it suffices to show that the discrete controller automaton of GRAPH-PROT-PAIRg; jy im- 
plements DC';. This is shown by a simulation from the discrete controller automaton of 


GRAPH-PROT-PAIR,; ;7, to DCj. 


The mapping between the states of the discrete controller automaton of the protector 
GRAPH-PROT-PAIRs; 7, and DC; is almost the identity. In the discrete controller automaton 
of GRAPH-PROT-PAIR,; 7}, the variable send; is equal to either a member of P({i, 7’}), or the 


value null. In DC, these valuations simply map to either the actions protect(C);, where 
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C is the member of P({i, i’}) that corresponds to the the valuation of the variable send; of 
the discrete controller automaton of GRAPH-PROT-PAIR 4; ;71, or the value null, respectively. 


The start states for the discrete controller automaton of GRAPH-PROT-PAIR 4; 7, and DC; 
are the states in which send; = null. These are related to each other according to the 


mapping discussed above. 


Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the GRAPH-VEHICLES automaton that 


corresponds to the output state y, 7.e.,p € VALID and p/Yorapu-venicims = Y- 


1. The snapshot(y); action of the implementation sets send; to an element of P({?,7’}). 
In order to show that the behavior of the implementation is allowed by the specifica- 
tion, we must show that the input action snapshot(y); of the implementation sets the 
value of the send; variable in such a way that the subsequently enabled action 7 of the 
implementation (i) guarantees that for all p',p” € Ry; 7 such that p’ € futures; 4 (p, 0) 
and p’ +p”, it is the case that p” € delay-safes; »(d), if p € safer; i, and (ii) is an 


arbitrary output action of the implementation, otherwise. 


First, consider the case in which p € safey; jy. Since Corollary 8.4.7 implies that p € 
Wy; i, the discrete controller automaton of GRAPH-PROT-PAIRy; ;} sets the variable 


send; according to whether the state p is in Ty; »(d), or not. 


On one hand, if p ¢ Ty: 67 (d) then the discrete controller automaton of the pro- 
tector GRAPH-PROT-PAIR,; ;7 sets the variable send; to either {i}, or {t’} accord- 
ing to the strategy described in Section 8.3. Therefore, the snapshot(y); action 
enables either the protect({7}); action, or the protect({i’}); action. Since p € 
Wii, Lemma 8.4.4 implies that p’ € Wy, i. Moreover, since the protect({i}); 
and protect({?’}); actions affect neither the velocity of any of the vehicles, nor any 
of the collided variables, it follows that p” € Ry in, pY € Gain, pti = pla, 
and p".t; = p'.ay. Therefore, since p’ € Wy; i, Lemma 4.4.3, part 1, implies 
that p” € disjoint-owned-tracks(i, i’). From the above conditions, it follows that 
p" € Wain. Moreover, since the protect({i}); and protect({2’}); actions set 
the brake-req(t,j) and brake-req(i’, 7) variables, respectively, to True, it follows that 
p" € Vain. Finally, Lemma 8.4.12 implies that p” € delay-safe,; jn (d), as needed. 


On the other hand, if p € 7; ;(d) then the discrete controller automaton of the pro- 
tector GRAPH-PROT-PAIR ; jy sets the variable send; to ) and the protect(Q); action 
is enabled. Since p € Ty; (d), Corollary 8.4.16 implies that p’ € Ty; »(d). Moreover, 
since the protect(Q); action affects neither the velocity of any of the vehicles, nor 
any of the collided variables, it follows that p” € Ry in, p” € Guin, p&i = pki, 
and p" ty = p’.ay. Therefore, since p’ € Ty; 4(d), Lemma 4.4.3, part 2, implies 
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that p” € disjoint-claimed-tracks(i, i’, d). From the above conditions, it follows that 
p" € Ta in(d). Finally, Lemma 8.4.17 implies that p” € delay-safe,; jn (d), as needed. 
Next, consider the case in which p ¢ safes; 7. In this case, the snapshot(y); action 
of the discrete controller automaton of GRAPH-PROT-PAIR 4; ;7) sets the variable send; 
to either {i}, {t’}, or @ and, subsequently, enables either the protect({i}); action, 
the protect({i’}); action, or the protect(@); action, respectively. However, when 
pe€ safes; 7, the DC; automaton sets the variable send; arbitrarily and, subsequently, 
enables an arbitrary output action. Therefore, the behavior of the discrete controller 
automaton of the protector GRAPH-PROT-PAIRs; jy is allowed by that of the DC; 


automaton. 


Therefore, the effects of the snapshot(y); action of the implementation are allowed 


by its specification. 


2. The protect(C); actions, for C € P({i,v’}), have identical effects in both discrete 
controller automata. When the send; variable matches either the set C’, or the 
protect(C); action, the action protect(C); is executed and the send; variable is 


set to nullin both discrete controller automata. 


3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
GRAPH-PROT-PAIR,; ;7, and the DC; automaton prior to and succeeding the execu- 


tion of the environment action remains the same. 


Corollary 8.4.19 The protector GRAPH-PROT-PAIR 4; jy, guarantees that the automaton 


GRAPH-VEHICLES remains within Gy; in starting from S¢; in given Ry; jn. 


Proof: Follows directly from Lemma 8.4.18 and Theorem 3.2.9. | 


8.5 Protection System GRAPH-PROT 


We now define the collision protector GRAPH-PROT. While considering the automaton 
GRAPH-PROT, we restrict the states of the GRAPH-VEHICLES automaton to Prot-overspeed a8 
defined in Section 4.2, 7.e., Rerapu-pror = Prot-overspeed- Let Gorapu-pror ald Sgrapu-pror 
be the intersection of Gy; i and Sy, jn, for all {t,2"}, where i,2’ € I,t # 2, respec- 
tively, and GRAPH-PROT be the composition of GRAPH-PROT-PAIR 4; 71, for all {7,7}, where 
i, € 1,i # wv. The protector GRAPH-PROT guarantees that GRAPH-VEHICLES remains 
within Gorapu-pror Starting from Sorapypror given Repapupror- For reference, the for- 
mal definitions of the GRAPH-PROT automaton and the sets Gorapy-pror, Sorapy-prot; and 


Rerapu-pror are shown in Table 8.4. 
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Table 8.4 Formal definitions of GRAPH-PROT, Garapy-prot, SarapH-prot; and Repapr-prot: 


GRAPH-PROT = II GRAPH-PROT-PAIRg; (7 
ii! € Lagi! 


Gorapu-pror = () Guin 
ial € Lisi! 


SorapH-ProT = () S66 
ial € Lisi! 


RorapH-PROT = Prot-overspeed 


Lemma 8.5.1 The protector GRAPH-PROT guarantees that the GRAPH-VEHICLES automa- 


ton remains within Gopapr-pror starting from Scpapy-pror given Rapapy-prot: 


In the following proof, we show that all the states of an execution of PP x GRAPH-PROT 
starting from Sgrapu-pror given Rerapuepror are in Gagrapu-pror- This is done by applying 


Theorem 3.1.8 and showing that the second condition of the theorem does not hold. 


Proof: Let a be any execution of the system PP x GRAPH-PROT starting from a state in 


Scrapu-pror and in which all states are in Repapy-pror- 


From Theorem 3.1.8, one of the following holds: 


1. Every state in @ is in Gorapu-pror = [) iit © Liki! Gian. 


2. a can be written as a, ~ a2, where 


(a) All state occurrences in a, except possibly the last state occurrence are in the 
set Gerapu-pror = ane € Tifa Gein. 

(b) If the last state occurrence in ay is in Gein for some i,t’ € [,i # #’, then there 
exists 170” ETM Ai fi" 0" F {i,v}, such that the last state occurrence in 
ay 18 in Gein qu. 

(c) All state occurrences in ag except possibly the first state occurrence are in the 
set Nin imp en past G gin jn7,, 0), for some N C {{i,7'} | t,v € F,t Zw}, where 
|N| > 2. 


We proceed by showing that it is not possible to decompose a as a, ~ a2 while satisfying 


the three aforementioned conditions. 
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The violation of () iit © Liki! Gy; can only occur through the violation of at least one of 
the conditions Gy; ;, where 2, ’€1,i#%'. Moreover, each of these conditions are violated 
only through the execution of a colliding-pair action. Without loss of generality, suppose 
that the first condition that is violated in a is the condition Gy; ;n, for some 2, Veli’, 
and that such a violation has resulted through a colliding-pair(?, i’) action. Let p and 
p' be the states of the system prior to and succeeding this colliding-pair(?,i’) action, 
i.e, p,p’ © Rarapxpror such that p—+ p’, where s = colliding-pair(i,i’). Since the 
colliding-pair(i, 7’) action only sets the collided(i, i’) variable to True, it follows that the 
state p’ is in the set Gant (ora Li fil fi AL iY Gunn): Now, we attempt to 


decompose a as ay ~ Qa: 


1. Suppose we split a at any state preceding the state p. Then the state p is in 
a2. Since p’ is the first state in which one of the conditions Gyn jy, for ai” € 
T,t" # wv", is violated, it is the case that p € () jw jue ringin Geingnyy and there 
does not exist N C {{i",o} | ii” © TF," # wv} such that |N| > 2 and p € 
‘a {i EN past(G gin jury, a). Therefore, the third condition is violated and this de- 


composition of a@ is not valid. 


2. Suppose we split a at the state p. Then the state p’ is in ag. Since p’ is the first 
state in which one of the conditions Ggjv juny, for 2,7” € T,2” 4 2”, is violated and 
since the state p is in Gian ‘a (n aM gt € Lit Zit La" ALG I Gann), it follows that 
there does not exist N C {{27, 0} | i”,a” © T,t” A w”} such that |N| > 2 and 
pet) {i} EN past(G gin jn,a). Therefore, the third condition is violated and this 


decomposition of @ is not valid. 


3. Suppose we split a at the state p’. Then p’ is the last state of a, and the first state 
of QQ. However, p E Gian ‘a (n an git € Lie Zi! LO UAL} Gu) . Therefore, the 
second condition is violated and this decomposition of @ is not valid. 

4. Suppose we split a at any state succeeding p’. Then the state p’ is in ay. Since 
p E Gian ‘a (n ita Lit Zit La" ALG I Gunny) it follows that the state p is not 
in the set [) jv jm ¢ Littseil Gyjw yw}. Therefore, the first condition is violated and this 


decomposition of @ is not valid. 


Therefore, the execution a cannot be decomposed into any such a, and ag. It follows that 
the first clause of Theorem 3.1.8 must hold; that is, every state in @ is in Gepapy-pror- This 
implies that the protector GRAPH-PROT guarantees Gonapu-pror in the GRAPH-VEHICLES 


automaton starting from Sopapu-pror given Repapu-prot: | 
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Chapter 9 


Composing the Overspeed and 
Collision Avoidance Protection 


Systems 


In the previous chapters, we presented example protectors whose correct operation required 
that the physical plant automaton at hand satisfied particular properties. For instance, 
in the case of the VEHICLES automaton of Chapter 4, the overspeed protector OS-PROT of 
Chapter 5 assumes that none of the vehicles collide among themselves and the collision 
protector CL-PROT of Chapter 6 assumes that none of the vehicles exceed the speed limit. 
Similarly, the MERGE-PROT protector of Chapter 7 and the GRAPH-PROT protector of Chap- 
ter 8 guarantee that none of the vehicles collide among themselves in the MERGE-VEHICLES 
and GRAPH-VEHICLES automata, respectively, provided that all the vehicles are abiding by 
the speed limit. In this chapter, we compose the overspeed and collision protectors for the 
VEHICLES automaton and show that the resulting protector guarantees that the vehicles in 
the VEHICLES automaton neither exceed the speed limit, nor collide among themselves. We 
extend these results to the MERGE-VEHICLES and GRAPH-VEHICLES automata after assum- 
ing that the overspeed protector OS-PROT of Chapter 5 extends, virtually unchanged, to 


the MERGE-VEHICLES and GRAPH-VEHICLES automata. 


9.1 Overspeed and Collision Avoidance for the VEHICLES 


Automaton 
In the following lemma, we show that the composition of the protectors OS-PROT and CL- 


PROT guarantees that the vehicles in the VEHICLES automaton neither exceed the speed 


limit, nor collide among themselves. 
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Lemma 9.1.1 The composition of OS-PROT and CL-PROT is a protector that guarantees 


Gos-prot 7 Got-pror in the VEHICLES automaton starting from Sos-prot 1 Scu-pror: 


In the following proof, we show that all the states of an execution of PPx OS-PROT X CL-PROT 
starting from Sos-pror M Sci-pror are in Gospror 1 Gou-pror- This is done by applying 


Theorem 3.1.7 and showing that the second condition of the theorem does not hold. 


Proof: Let a be any execution of the system PP x OS-PROT X CL-PROT starting from a 


state in Sos-pror N Scr-pror: 


From Theorem 3.1.7, one of the following holds: 


1. Every state in @ is in Gos-pror M Get-pror: 


2. a can be written as a, ~ a2, where 


(a) All state occurrences in a, except possibly the last are in Gos-pror N Gor-pror- 

(b) The last state occurrence in a; is in G;, for some i € {OS-PROT,CL-PROT}, if 
and only it is in Gv, for 2’ € {oS-PROT, CL-PROT}, i! FZ i. 

(c) All state occurrences in a2 except possibly the first state occurrence of ag are in 


past G'os-pror; a) a past(Get-prot: a). 


We proceed by showing that it is not possible to decompose a into a, and az as proposed 
by the second clause of Theorem 3.1.7. Then it trivially follows that the first clause of 


Theorem 3.1.7 holds; that is, for any such a, all states are in Gos-prot M Get-prort: 


The violation of Gos-pror M Gct-pror can occur through the violation of either Gogpror, oF 
Go-prot- On one hand, provided that no collisions have occurred, the violation of Gos-pror 
can only occur within a trajectory of the VEHICLES automaton. On the other hand, the 
violation of Go.-pror can only occur through the execution of a colliding-pair(¢, 7’) action, 


for some 2,i’ € I,i’! #7. We analyze each of these cases separately. 


1. In the first case, the key point is that the violation of the speed limit by any of the 
vehicles in the VEHICLES automaton can only occur within a trajectory and that a 
collision can not be recorded within a trajectory. Therefore, the fact that the speed 
limit is violated prior to the occurrence of any vehicle collisions would imply that the 


OS-PROT protector is not working correctly; that is, Corollary 5.3.1 is false. 


Let w be the first trajectory in a containing a state occurrence in Gos-pror M Go.-pror: 
Suppose that w is a 7,-trajectory and let T; be the subset of 7; consisting of all ¢ such 
that (i,t, w(t)) € past(Gos-pror N Gez-pror, 2). Then Ty} is a non-empty subinterval of 
T, that is “upward-closed”, i.e., if t € T;, t’ € T;, and t < t’, then ¢’ € T}. Since T¥ is 
an interval of reals, it has a left endpoint ¢ which might or might not itself be in 77. It 
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is important to note that since the collided(i, 7’) variables, for i,i’ € I,i 4 i’, remain 
constant throughout any trajectory of the VEHICLES automaton, it is only possible to 
violate the Gos. prop condition within the trajectory w; that is, all the states in w are 
in the set Go-pror. Therefore, letting s = w(t), all state occurrences in a that precede 
the state occurrence (i,t, s) are in the set Gos pror M Gct-pror. Now, we attempt to 


decompose a into ay and ag. 


(a) Suppose we split a at any state preceding the state (i,t,s). Then the state 
(2,t, 5) is in ag. Since (%,t,s) is in Gou-pror and all states that precede the state 
(i,t, 8) are in Gos-pror  Gex-pror, it is the case that (i,t,s) ¢ past(Gos-pror, @) 
past(Go.-prot,@). Since the state (i,t,s) is not the first state in ag, the third 
condition is violated. Therefore, this decomposition of @ is not valid. 

(b) Suppose we split a at the state (7,t,s) and suppose that the state (7,t,s) is not 
the last state of w. Then any state of the trajectory w that succeeds the state 
(2,t, 5) is in ag. Moreover, since all of the states in w are in Gorpror, none of 
the states in w that succeed (i,t, s) are in past(Gos-pror, @) M past(Go.pror, @). 
Therefore, the third condition is violated and this decomposition of a is not valid. 

(c) Suppose we split a at the state (i,t, s) and suppose that the state (7, t,s) is the 
last state of w. Then since w is the first trajectory in a containing an occurrence 
of a state in Gospror  Get-pror, it follows that (i,t,s) € Gos-pror M Go.-pror- 
Moreover, since all the states in w are in Go.-pror, it is the case that (%,t,s) € 
Gos-prot 1 Gor-prot- Therefore, the second condition is violated and this decom- 
position of a is not valid. 

(d) Suppose we split a at a state s” that succeeds the state (7,t,s). Let (i,t’,s’) be 
a state of the trajectory w that succeeds the state (7, ¢,s) and precedes the state 
s"”, The state (2, t’, s’) is in ay. By definition of Tj, it is the case that (7, t’, s’) is 
in past(Gos-prot  Gct-prot> a). Therefore, the first condition is violated and this 


decomposition of @ is not valid. 


2. In the second case, the key point is that a collision can only be recorded by an action 
and that such an action can not cause the velocity of a vehicle to exceed the speed 
limit. Therefore, the fact that a collision among the vehicles occurs prior to the 
violation of the speed limit would imply that the cL-PROT protector is not working 


correctly, z.e., Lemma 6.3.1 is false. 


Without loss of generality, suppose that the Goy-pror condition is violated through a 
colliding-pair(?, i’) action, for some i, 7’ € I, i’ # i. Let p and p’ be the states of the 
system prior to and succeeding this colliding-pair(?, 2’) action, i.e., p,p’ € VALID 
such that p—+ p’, where = colliding-pair(?, 2’). Since the colliding-pair(?, 2’) 
action only sets the collided(i, i’) variable to True, it follows that the state p’ is in the 


set Gos-prot{] Gct-pror- Now, we attempt to decompose a into a; and ag. 
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(a) Suppose we split a at any state preceding the state p. Then the state p is 
in a2. Since p’ is the first state in Gos-prorM Gor-pror, it is the case that all 
the states of a preceding p’ are in the set Gospror M Got-pror; that is, p ¢ 
past(Gos-pror M Gor-pror, @) and p ¢ past(Gos-pror, @) 1 past(Gorpror, @). Since 
p is not the first state in ag, the third condition is violated. Therefore, this 
decomposition of @ is not valid. 

(b) Suppose we split a at the state p. Then the state p’ is in ag. Since p’ is the first 
state in Gos-pror A Ge.-prot, it is the case that all the states of a preceding p’ 
are in the set Gos-pror 1 Ger-pror; that is, p ¢ past(Gos-pror 1 Ger-pror, @) and, 


moreover, p ¢ past(Gos-pror, @) N past(Gorpror, @). Since p’ follows from p in a 


single step and p! € Gos-pror™Gci-prot; it is the case that p’ ¢ past(Gos-pror, @)M 
past(Go.-pror, 0). Therefore, the third condition is violated and this decomposi- 
tion of @ is not valid. 

(c) Suppose we split a at the state p’. Then p’ is the last state of a, and the first 
state of az. Since p! € Gos.pror{|Gcz-pror, the second condition is violated. 
Therefore, this decomposition of a is not valid. 

(d) Suppose we split a at any state succeeding p’. Then the state p’ is in a;. Since 
p! € Gos-prov {| Geu-pror, the first condition is violated. Therefore, this decom- 


position of a is not valid. 


Therefore, the execution a cannot be decomposed into any such a, and ag. It follows that 
the first clause of Theorem 3.1.7 must hold; that is, every state in @ is in Gos_prorMGez-pror: 
This implies that the protector OS-PROT X CL-PROT guarantees Gos-pror 1 Gocr-pror in the 


VEHICLES automaton starting from Sos-pror MN Sci-pror- | 


9.2 Overspeed and Collision Avoidance for the 


MERGE-VEHICLES Automaton 


In the following lemma, we state that the composition of the protectors OS-PROT and 
MERGE-PROT guarantees that the vehicles of the MERGE-VEHICLES automaton neither ex- 
ceed the speed limit, nor collide among themselves. It is important to note that it is assumed 
without proof that the protector oS-PROT and the Corollary 5.3.1 extend to the MERGE- 
VEHICLES automaton. In fact, since the strategy of the OS-PROT protector defined for the 
VEHICLES automaton in Chapter 5 does not depend on the nature of the track topology, 
the OS-PROT protector of Chapter 5 extends to the MERGE-VEHICLES automaton virtually 


unchanged. 
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Lemma 9.2.1 The composition of OS-PROT and MERGE-PROT is a protector that guar- 


antees Gos-prot 1 Guprcr-prot in the MERGE-VEHICLES automaton starting from Sos-pror M 


SMEpRGE-PROT . 


Proof: This proof follows precisely the steps of the proof of Lemma 9.1.1. | 


9.3. Overspeed and Collision Avoidance for the 


GRAPH-VEHICLES Automaton 


In the following lemma, we state that the composition of the protectors OS-PROT and 
GRAPH-PROT guarantees that the vehicles of the GRAPH-VEHICLES automaton neither ex- 
ceed the speed limit, nor collide among themselves. It is important to note that it is assumed 
without proof that the protector OS-PROT and the Corollary 5.3.1 extend to the GRAPH- 
VEHICLES automaton. In fact, since the strategy of the OS-PROT protector defined for the 
VEHICLES automaton in Chapter 5 does not depend on the nature of the track topology, 
the OS-PROT protector of Chapter 5 extends to the GRAPH-VEHICLES automaton virtually 


unchanged. 


Lemma 9.3.1 The composition of OS-PROT and GRAPH-PROT is a protector that guar- 


antees Gos-prot 1 Garapr-pror in the GRAPH-VEHICLES automaton starting from Sos-pror M 


SGRAPH-PROT . 


Proof: This proof follows precisely the steps of the proof of Lemma 9.1.1. | 
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Chapter 10 


Conclusions and Future Work 


This thesis investigates how the formal modeling and verification techniques of computer 
science can be used for the analysis of hybrid systems. The motivation behind such research 
lies in the inherent similarity of the hierarchical and decentralized control strategies of 
hybrid systems and the formal techniques used for the verification of distributed systems in 
computer science. The thesis focuses on the development of techniques that use hybrid I/O 
automata to model automated transportation systems and to verify that their protection 
subsystems enforce the desired safety properties. The long-term goal of such research is 
to develop a simple and scalable framework for modeling complex hybrid systems with 


stringent safety and performance requirements. 


10.1 Summary 


The thesis is split into two major parts. First, we develop an abstract model of a physical 
plant that is interacting with several protectors. Second, we specialize the abstract models 
of the physical system and the protectors to simplified versions of the PRT 20007 and its 


overspeed and collision protection subsystems. 


As indicated above, the first part of the thesis is devoted to the development of an abstract 
model of a physical plant and a number of protectors that guarantee particular safety or 
performance properties. Both the physical plant and the protectors are modeled as hybrid 
I/O automata. The protector automata communicate with the physical plant automaton 
through shared variables and discrete actions. If 5, R, and G are subsets of the states of 
the physical plant, then a protector automaton A for the physical plant PP guarantees G 
from S given R provided that every finite execution of the composition PP x A starting in 
a state in S that only involves states in R ends in a state in G. It is shown that if two or 
more protectors do not rely on the correct operation of each other, 7.e., if the protectors 


are independent, then their composition guarantees the properties guaranteed by each of 
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the protectors being composed. On the other hand, if the protectors rely on the correct 
operation of each other, their composition guarantees the properties guaranteed by each of 


the protectors being composed only under certain conditions. 


The abstract protector is parameterized in terms of the physical plant PP, the start states 
5, the sets of guarantee G and reliance R, the port 7 through which it communicates with 
the physical plant automaton, and the sampling period d. It is defined as the composition 
of a sensor and a discrete controller, both modeled as hybrid I/O automata. The sensor 
automaton samples the output variables of the physical plant at intervals of d time units and 
the discrete controller automaton issues protective actions so as to ensure that the physical 
plant exhibits the desired safety properties. The correctness of the abstract protector re- 
duces the correctness proof of a protector implementation to a simulation proof among the 


states of the implementation and the particular instantiation of the abstract protector. 


The second part of the thesis involves the proof of correctness of overspeed and collision 
protectors for a simple model of an automated transportation system involving n vehicles. 
The overspeed and collision protectors are redefined for three types of track topology: a 
single track, a track involving a Y-shaped merge, and a general track topology comprised 


of Y-shaped merges and diverges. 


In the case of a single track, the overspeed protector is defined as the composition of n 
protectors, each of which guarantees that a particular vehicle does not exceed the speed 
limit, provided that none of the vehicles collide among themselves. Conversely, the collision 
protector is defined as the composition of n protectors, each of which guarantees that a 
particular vehicle does not collide into any of the vehicles it trails, provided that none of 
the vehicles exceed the speed limit and that none of the other vehicles collide into any of 


the vehicles they respectively trail. 


In the cases of the more complicated track topologies, although the overspeed protector 
remains unchanged, the collision protectors are restructured. They involve the composition 
of n(n — 1)/2 protectors, each of which guarantees that a particular unordered pair of 
vehicles do not collide between themselves, provided that none of the vehicles exceed the 
speed limit and that the vehicles of all other unordered pairs of vehicles do not collide 


between themselves. 


Due to the correctness proof of the parameterized abstract protector, the proofs of correct- 
ness of the overspeed protectors for the individual vehicles and of the collision protectors for 
either individual, or unordered pairs of vehicles, are straightforward. They simply involve 
demonstrating the existence of a simulation relation among the states of the particular 
protector implementations and the particular instantiations of the parameterized abstract 


protector. 


The composition of the overspeed protectors is straightforward due to their independence. 
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The proof of correctness of the overspeed protection subsystem involves the application of 
the aforementioned composition theorems for independent protectors. In the case of the 
collision protectors, since the individual collision protectors rely on the correct operation of 
each other, the proof of correctness of their composition is more involved. It relies on the 
careful decomposition of the collision protection subsystem so that the failure of multiple 
collision protectors at the same instant in time is prohibited. Similarly, the correct operation 
of the composition of the overspeed and collision protection subsystems relies on the fact 
that the overspeed protectors and the collision protectors can only fail through trajectories 


and discrete actions, respectively. 


10.2 Evaluation 


The contributions of this thesis are twofold. First, we develop an abstract model of an 
automated transportation system comprised of a physical plant and an arbitrary number of 
protectors. Second, we specialize the abstract model so as to analyze and verify a particular 


automated transportation system and its overspeed and collision protection systems. 


The abstract models that are developed include the physical plant and a number of pro- 
tectors. The abstract protector is parameterized in terms of the physical system, its start 
states, its sets of guarantee and reliance, the port with which it communicates with the 
physical plant and the sampling period. Therefore, the specification of a particular au- 
tomated transportation system involves refinement of the abstract model. Moreover, the 
proof of correctness of the abstract model leads to simple correctness proofs of the protector 
implementations for particular instantiations of the abstract model. Finally, composition 
of independent protectors is straightforward. The safety properties of the individual pro- 
tectors are guaranteed by the composed protector. Such compositional assertions also hold 
for dependent protectors under certain conditions. The use of abstraction, modular decom- 
position, and composition is hoped to allow the scalability of the formal method analysis 


and the verification of large and complex hybrid systems. 


In this work, we demonstrate how hybrid I/O automaton techniques can be applied to 
the specification and verification of a very general automated transportation problem. We 
believe that the techniques developed in this thesis complement more traditional safety 
analysis. For example, safety engineers typically perform a fault-tree analysis to identify 
possible causes of each system hazard and related dependencies among system components. 
In our work, we use composition of automata to formalize these dependencies: to yield a 
speed limited system, we compose the physical plant with a set of overspeed protectors, 
one for each vehicle, and assume that no collisions occur in the physical system; conversely, 
to yield a collision free physical system, we compose the physical system with a set of 


collision protectors, either one for each vehicle, or one for each unordered pair of vehicles, 
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and assume that none of the vehicles exceed the speed limit. The composition of the 
physical system in such ways formalizes the independence of the overspeed protectors, the 
interdependence of the collision protectors and more importantly the interdependence of 
the overspeed protectors and the collision protectors. We believe a more comprehensive 
treatment in this style of all the protection subsystems would, as a by-product, yield a 


significant subtree of the fault-tree. 


10.3. Future Work 


In this thesis, the treatment of automated transportation systems is a case study in the use 
of hybrid I/O automata to formally model hybrid systems. The focus of the research is in the 
use of abstraction, modularity, and composition to develop an abstract model of automated 
transportation systems to be used in the analysis and verification of transportation systems 
in use or under development. The long-term goal is to see how the formal methods of 
computer science can be used to formally model hybrid systems in a modular and systematic 
way and to verify their safety or performance characteristics. However, issues that have yet 
to be addressed involve the topics of robustness, scalability, tractability, and the use of 


formal methods as part of the system design process. 


The work in this thesis assumes an ideal system; that is, the communication among the 
various subsystems is assumed to be correct and reliable, and to occur in a timely fash- 
ion. Moreover, the sampling of the state of the physical plant is assumed to be exact and 
the effects of the protective actions are assumed to be precise. Since, these assumptions 
are far from realistic, future research could involve the development of formal methods for 
analyzing and verifying automated transportation systems that are robust with respect to 
communication delays and uncertainty. For example, the treatment of automated trans- 
portation systems of this thesis could be extended to allow delays in the communication 
between the plant and the protectors and uncertainty either in the sampling of the state, or 
in the effects of the protective actions. The treatment of automated transportation systems 
could also be extended to allow fault tolerance; for example, allowing the track topology 
to be dynamic so that vehicles are not allowed to travel on branches of the track that have 


failed either structurally, or due to unexpected accidents. 


In this thesis, we develop formal modeling techniques that are based on abstraction, mod- 
ularity, and subsystem composition. The motivation behind this approach is the intent 
to model and verify complex hybrid systems that involve hierarchical and decentralized 
control schemes. Therefore, it is imperative to examine the scalability and tractability 
characteristics of the formal modeling techniques developed. The success in modeling the 
overspeed and collision protectors of an automated transportation system in this thesis in- 


dicates that the modeling techniques that are based on hybrid I/O automata are scalable to 
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larger and more complex systems. However, the study and formal analysis of more complex 
systems remains to be done. In particular, it would be interesting to examine how complex 
continuous-time dynamics affect the formal modeling tools developed in this thesis. More- 
over, the lengthy correctness proofs, which were done by hand in this thesis, expose issues 
of tractability concerning the analysis and verification of complex transportation systems. 
In fact, they dictate that computer aided verification methods for hybrid I/O automata be 
developed. 


The formal modeling techniques developed in this thesis are techniques intended for the 
analysis and verification of automated transportation systems. Future research could inves- 
tigate the potential of using formal methods of computer science as an integral part of the 
design of the hierarchical and decentralized control schemes of automated transportation 


systems and of hybrid systems in general. 
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